Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample name:	PO.exe
Analysis ID:	1578874
MD5:	fbf77e7d5f394a432da4903e37c2e40a
SHA1:	27c9bd92be2199ee6ab036ca8bb2ad6119101e2c
SHA256:	34ec90ccd81677a867a00f697ece5799cdbbfaf76556701353fe8fcdc3c674c1
Tags:	exeuser-abuse_ch
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected DarkCloud

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: FBF77E7D5F394A432DA4903E37C2E40A)

powershell.exe (PID: 356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4628 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

lEIbxztPTKpOpY.exe (PID: 5812 cmdline: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe MD5: FBF77E7D5F394A432DA4903E37C2E40A)

schtasks.exe (PID: 7416 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7468 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

fretsaw.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fretsaw.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "designer@grameenknit.com", "From Address": "designer@grameenknit.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x2d5cc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x558c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x2e5ac:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: PO.exe PID: 2940	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: PO.exe PID: 2940	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5608	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: lEIbxztPTKpOpY.exe PID: 5812	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: lEIbxztPTKpOpY.exe PID: 5812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.lEIbxztPTKpOpY.exe.45af2e4.1.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.514bc44.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.50d9c24.4.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
10.2.lEIbxztPTKpOpY.exe.4565a08.3.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
10.2.lEIbxztPTKpOpY.exe.4794728.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.5090348.5.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.5102368.3.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
10.2.lEIbxztPTKpOpY.exe.4794728.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.5102368.3.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.5090348.5.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.50d9c24.4.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
10.2.lEIbxztPTKpOpY.exe.45af2e4.1.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.PO.exe.514bc44.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
10.2.lEIbxztPTKpOpY.exe.4565a08.3.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 2940, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", ProcessId: 356, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5608, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sootiest

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe, ParentImage: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe, ParentProcessId: 5812, ParentProcessName: lEIbxztPTKpOpY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp", ProcessId: 7416, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 2940, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", ProcessId: 4628, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 2940, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe", ProcessId: 356, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO.exe", ParentImage: C:\Users\user\Desktop\PO.exe, ParentProcessId: 2940, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp", ProcessId: 4628, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T16:01:53.480786+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	162.55.60.2	80	TCP
2024-12-20T16:02:01.570663+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49716	162.55.60.2	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 10.2.lEIbxztPTKpOpY.exe.4794728.2.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "designer@grameenknit.com", "From Address": "designer@grameenknit.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: PO.exe	Virustotal: Detection: 62%			Perma Link
Source: PO.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Cookies
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})\|^((bitcoincash:)?(q\|p)[a-z0-9]{41})\|^((BITCOINCASH:)?(Q\|P)[A-Z0-9]{41})$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(0x){1}[0-9a-fA-F]{40}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \Default\Login Data
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \Login Data
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Password :
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: SMTP Email Address
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: NNTP Email Address
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Email
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: HTTPMail User Name
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: HTTPMail Server
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Password
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Mastercard
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Visa Card
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Visa Master Card
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \logins.json
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \signons.sqlite
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Foxmail.exe
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: mail\
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: EnableSignature
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Application : FoxMail
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: encryptedUsername
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: logins
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: encryptedPassword
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: mail.grameenknit.com
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: Select * from Win32_ComputerSystem
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: \global-messages-db.sqlite
Source: 0.2.PO.exe.50d9c24.4.unpack	String decryptor: C:\\MailMasterData

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: fretsaw.exe, 00000012.00000000.1848234688.0000000000312000.00000002.00000001.01000000.00000011.sdmp, fretsaw.exe.9.dr
Source:	Binary string: W.pdb4 source: PO.exe, 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: fretsaw.exe, 00000012.00000000.1848234688.0000000000312000.00000002.00000001.01000000.00000011.sdmp, fretsaw.exe.9.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then jmp 0539A511h		0_2_05399C14
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then jmp 0539A511h		0_2_05399CF5

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: unknown

DNS query: name: showip.net

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 162.55.60.2:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 16_2_0043C410 InternetOpenA,InternetOpenUrlA,InternetReadFile,

16_2_0043C410

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic

DNS traffic detected: DNS query: showip.net

Source: PO.exe, lEIbxztPTKpOpY.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO.exe, lEIbxztPTKpOpY.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO.exe, 00000000.00000002.1562844855.000000000776B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.cy
Source: PO.exe, lEIbxztPTKpOpY.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 00000000.00000002.1556388708.00000000033CE000.00000004.00000800.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1630732232.0000000002C69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: PO.exe, lEIbxztPTKpOpY.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0193D404	0_2_0193D404
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0539B9B8	0_2_0539B9B8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05393C18	0_2_05393C18
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05391620	0_2_05391620
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05391E90	0_2_05391E90
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05394200	0_2_05394200
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05391A58	0_2_05391A58
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB9FC8	0_2_07FB9FC8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB96C8	0_2_07FB96C8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB1E7A	0_2_07FB1E7A
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB2CF8	0_2_07FB2CF8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB0B90	0_2_07FB0B90
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB80A0	0_2_07FB80A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB9FBA	0_2_07FB9FBA
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB4F10	0_2_07FB4F10
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB4F02	0_2_07FB4F02
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB96C3	0_2_07FB96C3
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8698	0_2_07FB8698
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8688	0_2_07FB8688
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8E40	0_2_07FB8E40
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB5588	0_2_07FB5588
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB5578	0_2_07FB5578
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FBA570	0_2_07FBA570
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FBA560	0_2_07FBA560
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB3D08	0_2_07FB3D08
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB3CF8	0_2_07FB3CF8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB2CAD	0_2_07FB2CAD
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB1440	0_2_07FB1440
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB2BE0	0_2_07FB2BE0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB53A8	0_2_07FB53A8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB5398	0_2_07FB5398
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB0B76	0_2_07FB0B76
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8358	0_2_07FB8358
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8348	0_2_07FB8348
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB0B3D	0_2_07FB0B3D
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8A90	0_2_07FB8A90
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8A80	0_2_07FB8A80
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB5118	0_2_07FB5118
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB5108	0_2_07FB5108
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB18D9	0_2_07FB18D9
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB8090	0_2_07FB8090
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB0040	0_2_07FB0040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_07FB0006	0_2_07FB0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406A18	9_2_00406A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040179D	9_2_0040179D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0042F640	9_2_0042F640
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_0126D404	10_2_0126D404
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_05126DC0	10_2_05126DC0
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_05120006	10_2_05120006
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_05120040	10_2_05120040
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_05126DB3	10_2_05126DB3
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07301E7A	10_2_07301E7A
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_073096C8	10_2_073096C8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07302CF8	10_2_07302CF8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07300B90	10_2_07300B90
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_073080A0	10_2_073080A0
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07304F10	10_2_07304F10
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07304F02	10_2_07304F02
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07309FBA	10_2_07309FBA
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07309FC8	10_2_07309FC8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308E40	10_2_07308E40
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_073096B8	10_2_073096B8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308698	10_2_07308698
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308688	10_2_07308688
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07303D08	10_2_07303D08
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_0730A570	10_2_0730A570
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_0730557A	10_2_0730557A
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_0730A560	10_2_0730A560
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07305588	10_2_07305588
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07301440	10_2_07301440
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07302CAF	10_2_07302CAF
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07302C97	10_2_07302C97
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07303CF8	10_2_07303CF8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07300B3D	10_2_07300B3D
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07300B77	10_2_07300B77
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308358	10_2_07308358
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308348	10_2_07308348
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_073053A8	10_2_073053A8
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07305398	10_2_07305398
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308A90	10_2_07308A90
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308A80	10_2_07308A80
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07305118	10_2_07305118
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07305108	10_2_07305108
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07300007	10_2_07300007
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07300040	10_2_07300040
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_07308090	10_2_07308090
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Code function: 10_2_073018D9	10_2_073018D9

Source: PO.exe

Static PE information: invalid certificate

Source: PO.exe, 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepalmad.exe vs PO.exe
Source: PO.exe, 00000000.00000000.1476361297.0000000000F72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFTcZ.exe. vs PO.exe
Source: PO.exe, 00000000.00000002.1562903103.00000000077C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO.exe
Source: PO.exe, 00000000.00000002.1557535702.00000000043D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO.exe
Source: PO.exe, 00000000.00000002.1563830224.000000000AD80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO.exe
Source: PO.exe, 00000000.00000002.1557535702.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO.exe
Source: PO.exe, 00000000.00000002.1553882696.000000000153E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO.exe
Source: PO.exe, 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepalmad.exe vs PO.exe
Source: PO.exe	Binary or memory string: OriginalFilenameFTcZ.exe. vs PO.exe

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: PO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lEIbxztPTKpOpY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO.exe.ad80000.9.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO.exe.ad80000.9.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO.exe.ad80000.9.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, esm7c4r7Q65qcbAH55.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO.exe.ad80000.9.raw.unpack, esm7c4r7Q65qcbAH55.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, esm7c4r7Q65qcbAH55.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: RegSvcs.exe, 00000009.00000002.2729076960.0000000000448000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: O@*\AC:\Users\LENOVO\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp &j
Source: PO.exe, 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, RegSvcs.exe, 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: D*\AC:\Users\LENOVO\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: RegSvcs.exe	Binary or memory string: @*\AC:\Users\LENOVO\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/78@1/1

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Mutant created: \Sessions\1\BaseNamedObjects\SQgaSTTs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEB05.tmp

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogboosiesKhQkghmLOecvzzzzqDsmEfgZAqZAOiNtoiOJELzobTbCKdMrYNAgoddess.9.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PO.exe	Virustotal: Detection: 62%
Source: PO.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.exe

Static file information: File size 1063944 > 1048576

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: fretsaw.exe, 00000012.00000000.1848234688.0000000000312000.00000002.00000001.01000000.00000011.sdmp, fretsaw.exe.9.dr
Source:	Binary string: W.pdb4 source: PO.exe, 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: fretsaw.exe, 00000012.00000000.1848234688.0000000000312000.00000002.00000001.01000000.00000011.sdmp, fretsaw.exe.9.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: PO.exe, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: lEIbxztPTKpOpY.exe.0.dr, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	.Net Code: WvFRfcv2yF System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO.exe.43d4468.7.raw.unpack, MainForm.cs	.Net Code: _202B_200C_200F_200D_200D_202A_206D_202C_200B_200E_202B_206E_206B_206B_206E_200B_200F_206E_200E_202E_200F_202A_200D_200B_206C_206B_200F_200B_200C_206A_206A_200F_202E_200C_206E_200F_206C_206D_202D_202B_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	.Net Code: WvFRfcv2yF System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO.exe.ad80000.9.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	.Net Code: WvFRfcv2yF System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0539C2E2 push 0539C33Bh; ret	0_2_0539C32D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Code function: 22_2_0096089D push esp; ret	22_2_0096089E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Code function: 22_2_00960838 push ebx; ret	22_2_00960842

Source: PO.exe	Static PE information: section name: .text entropy: 7.7873724166581635
Source: lEIbxztPTKpOpY.exe.0.dr	Static PE information: section name: .text entropy: 7.7873724166581635

Source: 0.2.PO.exe.4ee4728.6.raw.unpack, oGveZOyMlF7Wmfnk5q.cs	High entropy of concatenated method names: 'XZolW08VxA', 'vm2li2oJCJ', 't8glrNcoiC', 'z45lyvr7ZX', 'edllmPV6pE', 'vljlXpmCBX', 'YyAl5j15pN', 'S4QlT5WJYq', 'UsUl1NahBO', 'OVDlVrRdMf'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, ThOeDS6RbriN9G15Xes.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RBQO1ZLOES', 'QrwOVsrmId', 'JGdOGu0Pk0', 'OExOOQ3UTX', 'SZVOBSc8BP', 'K2nOYGI15b', 'pa4OAtXOhW'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, DHhNtJtiKM5PNNtWng.cs	High entropy of concatenated method names: 'FI9ZnX2SVC', 'RdeZjgwWQV', 'mn7ZfUyy5g', 'zSNZWxSQwJ', 'E6mZQ2vvV3', 'ljFZiLELW6', 'kKPZMjBdvr', 'PdRZrOCuN3', 'o9aZyPvGvP', 'Wq4ZwCM5b3'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, TLqn2AqeS8BW1bfnCj.cs	High entropy of concatenated method names: 'SZFfKLwhy', 'HkZWeICnu', 'Qg7iDi2op', 'HlhMUmCh2', 'TSoy7RA6k', 'JdAwouvqs', 'nOcvWUiyGZmsfILASh', 'CRTn9kKvPfyNneDjnd', 'DXOTFWMrn', 'Tm4VppxPC'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, jH01Y3anKOVrv2OXBq.cs	High entropy of concatenated method names: 'Dispose', 'vTU6cxX3Hk', 'uiuq3cv76n', 'G3OHXsWkC1', 'Ypm6UcVoLH', 'ajB6zo7FRf', 'ProcessDialogKey', 'JhOq9rsMZ2', 'mSJq69XwSD', 'JI4qqMWnc8'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, xJIhMmDpyC2hAaLxwH.cs	High entropy of concatenated method names: 'jEh505yoGE', 'CgR5U6gr7d', 'sElT9nph3r', 'LGKT6W4Zgx', 'vGV5uIK8OV', 'guv5PtyPAN', 'k705bqDA11', 'vlC5NCdOO7', 'ggN5vRb1TV', 'cpa5dB1fjV'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	High entropy of concatenated method names: 'UHKSKhT5aM', 'ywrSk65jqd', 'y4ySaHc23J', 'YQkSl7xCHL', 'SNFSFHTTKE', 'iy3SpP0xik', 'JnDSZKiIIh', 'tr8SgjaNYH', 'N5ISxnfLhV', 'qsWS25KUho'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, bTm2fKNJAYn3ao8Ybp.cs	High entropy of concatenated method names: 'dcnmJ6EbEe', 'UcomP5mcYs', 'eL1mNbo018', 'ufAmvXZ6k7', 'ekEm3h99iR', 'WWYmCf7CGr', 'cf8m8uX68Y', 'J6OmsMPNf6', 'Y1cm4kjbg8', 'b6Bmoi3irG'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, zkExntwj3fh3rmQvEX.cs	High entropy of concatenated method names: 'ygxFQXJuGW', 'BTnFMEDkfl', 'LTJlC2T0TM', 'Bltl8K1gd7', 'u58ls0p30V', 'svdl4tP4W1', 'MEelofuIww', 'dJ6lL5FF7a', 'uOultemY0b', 'm8WlJbE1ro'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, x5EQEoRQwIPJnTM3WR.cs	High entropy of concatenated method names: 'mAK6Zsm7c4', 'UQ66g5qcbA', 'uMl62F7Wmf', 'xk56IqfkEx', 'oQv6mEX4nq', 'Gfn6XwmqWq', 'eH8RrFxdmF01EaF8uHN', 'vuK8WCxscLqiXhuRTAy', 'yG7OctxxYDQJXYNTJbj', 'c9W663Pnlg'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, h67S0PovqCM89d3vOE.cs	High entropy of concatenated method names: 'waEZkC4Aaa', 'iD8ZlQ0UUn', 'oA0ZpWnjvS', 'fBwpU3KLus', 'xvBpzwuLgy', 'xyLZ9B91Vo', 'zPWZ6Hqbd4', 'xWjZqJQcyv', 'R9XZSWXJ0A', 'NuBZRHx9NP'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, ursMZ2c2SJ9XwSD8I4.cs	High entropy of concatenated method names: 'aig1hlaHVG', 'RIx13H145w', 'Hs31CQSYk9', 'XRg18SeH6K', 'yMf1sUj8LP', 'SxS14n3mTZ', 'Ffi1oOksS5', 'BCv1Lq5C5s', 'rGK1t1dQra', 'Fyh1JBc1J6'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, bwB336b5U02x5HXFqT.cs	High entropy of concatenated method names: 'a6ZHr6Hicl', 'VVLHyFDNaZ', 'EasHhS5u7c', 'NAsH3vcpp5', 'ngFH8lHKZL', 'AdBHsg78l5', 'tj1HoMRU3W', 'nPCHL88Llp', 'CcfHJw11qF', 'eN3Hul8ZNh'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, PoiHCbzJ0khjXCspH2.cs	High entropy of concatenated method names: 'Y5wVibF0od', 'UoyVrpt3j9', 'DNAVyiIqS1', 'A7FVhYi3ex', 'JdDV3SGAKQ', 'tQuV8uhid4', 'YukVsQX4e7', 'M73VAwdVSE', 'dDGVneZGK9', 'XxrVjDgPMO'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, cA11Ya69s7mB2CsdBFk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'va7Vujc8r1', 'rHIVPafxsV', 'SvnVbvcI5J', 'v6dVNolh3i', 't4sVvetGYD', 'PTOVdStlaQ', 'FMrVeVcrSS'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, y8nkrNdr4iI94pbq5c.cs	High entropy of concatenated method names: 'ToString', 'ENNXuTID44', 'M8hX3Zctjo', 'PpmXCdhJvw', 'vjpX8UkyiR', 'nRYXshhSBi', 'c8aX4VCMjN', 'Q36XoPq727', 'bC4XL7VO8U', 'eHGXtgZQhr'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, CWnc8jUOkBX0SqsqfO.cs	High entropy of concatenated method names: 'IFDVl09LWx', 'KcXVFBmTlc', 'IwoVpLGBhv', 'ENgVZEA0dt', 'sqLV1sekZQ', 'TeTVgIpYg6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, Knq3fnhwmqWqVswW2C.cs	High entropy of concatenated method names: 'YSJpK2mUno', 'Od2pat6DG7', 'rMXpFH6aTZ', 'dt0pZVaHBv', 'wZTpgi4V6l', 'sesF7O4Wml', 'C1OFDr5HwJ', 'QWBFE1Xnwb', 'UthF0pf2Kd', 'XbgFcwLghv'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, MYkrOxEW6BTUxX3HkU.cs	High entropy of concatenated method names: 'uE31mY81gf', 'Mc4152ju30', 'PDe1168xpE', 'TdE1G7Csr7', 'swx1BpqcYf', 'Snf1ABgUbK', 'Dispose', 'KE5TkTvKZ1', 'hA1TamjRXo', 'KGyTljYqCS'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, esm7c4r7Q65qcbAH55.cs	High entropy of concatenated method names: 'pvqaNFT7em', 'djPav0vsRN', 'ap2adL1hws', 'sK1ae7EvkM', 'Htpa7EIXZX', 'R50aDxhUCf', 'qtFaE2rr0y', 'GJea0B3P4F', 'avEacCZlan', 'fy2aUaJjJ4'
Source: 0.2.PO.exe.4ee4728.6.raw.unpack, v9iWcF66S6BeWFdaee3.cs	High entropy of concatenated method names: 'lIdVUhQwvC', 'f5qVzTWwEW', 'WtnG9LAIEa', 'MM5G62qYDI', 'GxUGq02PbV', 'Ek8GSAOvX8', 'cGPGReH365', 'qmeGKBaSlW', 'Vi6GkwAJZo', 'PcIGawn0AA'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, oGveZOyMlF7Wmfnk5q.cs	High entropy of concatenated method names: 'XZolW08VxA', 'vm2li2oJCJ', 't8glrNcoiC', 'z45lyvr7ZX', 'edllmPV6pE', 'vljlXpmCBX', 'YyAl5j15pN', 'S4QlT5WJYq', 'UsUl1NahBO', 'OVDlVrRdMf'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, ThOeDS6RbriN9G15Xes.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RBQO1ZLOES', 'QrwOVsrmId', 'JGdOGu0Pk0', 'OExOOQ3UTX', 'SZVOBSc8BP', 'K2nOYGI15b', 'pa4OAtXOhW'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, DHhNtJtiKM5PNNtWng.cs	High entropy of concatenated method names: 'FI9ZnX2SVC', 'RdeZjgwWQV', 'mn7ZfUyy5g', 'zSNZWxSQwJ', 'E6mZQ2vvV3', 'ljFZiLELW6', 'kKPZMjBdvr', 'PdRZrOCuN3', 'o9aZyPvGvP', 'Wq4ZwCM5b3'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, TLqn2AqeS8BW1bfnCj.cs	High entropy of concatenated method names: 'SZFfKLwhy', 'HkZWeICnu', 'Qg7iDi2op', 'HlhMUmCh2', 'TSoy7RA6k', 'JdAwouvqs', 'nOcvWUiyGZmsfILASh', 'CRTn9kKvPfyNneDjnd', 'DXOTFWMrn', 'Tm4VppxPC'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, jH01Y3anKOVrv2OXBq.cs	High entropy of concatenated method names: 'Dispose', 'vTU6cxX3Hk', 'uiuq3cv76n', 'G3OHXsWkC1', 'Ypm6UcVoLH', 'ajB6zo7FRf', 'ProcessDialogKey', 'JhOq9rsMZ2', 'mSJq69XwSD', 'JI4qqMWnc8'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, xJIhMmDpyC2hAaLxwH.cs	High entropy of concatenated method names: 'jEh505yoGE', 'CgR5U6gr7d', 'sElT9nph3r', 'LGKT6W4Zgx', 'vGV5uIK8OV', 'guv5PtyPAN', 'k705bqDA11', 'vlC5NCdOO7', 'ggN5vRb1TV', 'cpa5dB1fjV'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	High entropy of concatenated method names: 'UHKSKhT5aM', 'ywrSk65jqd', 'y4ySaHc23J', 'YQkSl7xCHL', 'SNFSFHTTKE', 'iy3SpP0xik', 'JnDSZKiIIh', 'tr8SgjaNYH', 'N5ISxnfLhV', 'qsWS25KUho'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, bTm2fKNJAYn3ao8Ybp.cs	High entropy of concatenated method names: 'dcnmJ6EbEe', 'UcomP5mcYs', 'eL1mNbo018', 'ufAmvXZ6k7', 'ekEm3h99iR', 'WWYmCf7CGr', 'cf8m8uX68Y', 'J6OmsMPNf6', 'Y1cm4kjbg8', 'b6Bmoi3irG'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, zkExntwj3fh3rmQvEX.cs	High entropy of concatenated method names: 'ygxFQXJuGW', 'BTnFMEDkfl', 'LTJlC2T0TM', 'Bltl8K1gd7', 'u58ls0p30V', 'svdl4tP4W1', 'MEelofuIww', 'dJ6lL5FF7a', 'uOultemY0b', 'm8WlJbE1ro'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, x5EQEoRQwIPJnTM3WR.cs	High entropy of concatenated method names: 'mAK6Zsm7c4', 'UQ66g5qcbA', 'uMl62F7Wmf', 'xk56IqfkEx', 'oQv6mEX4nq', 'Gfn6XwmqWq', 'eH8RrFxdmF01EaF8uHN', 'vuK8WCxscLqiXhuRTAy', 'yG7OctxxYDQJXYNTJbj', 'c9W663Pnlg'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, h67S0PovqCM89d3vOE.cs	High entropy of concatenated method names: 'waEZkC4Aaa', 'iD8ZlQ0UUn', 'oA0ZpWnjvS', 'fBwpU3KLus', 'xvBpzwuLgy', 'xyLZ9B91Vo', 'zPWZ6Hqbd4', 'xWjZqJQcyv', 'R9XZSWXJ0A', 'NuBZRHx9NP'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, ursMZ2c2SJ9XwSD8I4.cs	High entropy of concatenated method names: 'aig1hlaHVG', 'RIx13H145w', 'Hs31CQSYk9', 'XRg18SeH6K', 'yMf1sUj8LP', 'SxS14n3mTZ', 'Ffi1oOksS5', 'BCv1Lq5C5s', 'rGK1t1dQra', 'Fyh1JBc1J6'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, bwB336b5U02x5HXFqT.cs	High entropy of concatenated method names: 'a6ZHr6Hicl', 'VVLHyFDNaZ', 'EasHhS5u7c', 'NAsH3vcpp5', 'ngFH8lHKZL', 'AdBHsg78l5', 'tj1HoMRU3W', 'nPCHL88Llp', 'CcfHJw11qF', 'eN3Hul8ZNh'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, PoiHCbzJ0khjXCspH2.cs	High entropy of concatenated method names: 'Y5wVibF0od', 'UoyVrpt3j9', 'DNAVyiIqS1', 'A7FVhYi3ex', 'JdDV3SGAKQ', 'tQuV8uhid4', 'YukVsQX4e7', 'M73VAwdVSE', 'dDGVneZGK9', 'XxrVjDgPMO'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, cA11Ya69s7mB2CsdBFk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'va7Vujc8r1', 'rHIVPafxsV', 'SvnVbvcI5J', 'v6dVNolh3i', 't4sVvetGYD', 'PTOVdStlaQ', 'FMrVeVcrSS'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, y8nkrNdr4iI94pbq5c.cs	High entropy of concatenated method names: 'ToString', 'ENNXuTID44', 'M8hX3Zctjo', 'PpmXCdhJvw', 'vjpX8UkyiR', 'nRYXshhSBi', 'c8aX4VCMjN', 'Q36XoPq727', 'bC4XL7VO8U', 'eHGXtgZQhr'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, CWnc8jUOkBX0SqsqfO.cs	High entropy of concatenated method names: 'IFDVl09LWx', 'KcXVFBmTlc', 'IwoVpLGBhv', 'ENgVZEA0dt', 'sqLV1sekZQ', 'TeTVgIpYg6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, Knq3fnhwmqWqVswW2C.cs	High entropy of concatenated method names: 'YSJpK2mUno', 'Od2pat6DG7', 'rMXpFH6aTZ', 'dt0pZVaHBv', 'wZTpgi4V6l', 'sesF7O4Wml', 'C1OFDr5HwJ', 'QWBFE1Xnwb', 'UthF0pf2Kd', 'XbgFcwLghv'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, MYkrOxEW6BTUxX3HkU.cs	High entropy of concatenated method names: 'uE31mY81gf', 'Mc4152ju30', 'PDe1168xpE', 'TdE1G7Csr7', 'swx1BpqcYf', 'Snf1ABgUbK', 'Dispose', 'KE5TkTvKZ1', 'hA1TamjRXo', 'KGyTljYqCS'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, esm7c4r7Q65qcbAH55.cs	High entropy of concatenated method names: 'pvqaNFT7em', 'djPav0vsRN', 'ap2adL1hws', 'sK1ae7EvkM', 'Htpa7EIXZX', 'R50aDxhUCf', 'qtFaE2rr0y', 'GJea0B3P4F', 'avEacCZlan', 'fy2aUaJjJ4'
Source: 0.2.PO.exe.4f9a948.0.raw.unpack, v9iWcF66S6BeWFdaee3.cs	High entropy of concatenated method names: 'lIdVUhQwvC', 'f5qVzTWwEW', 'WtnG9LAIEa', 'MM5G62qYDI', 'GxUGq02PbV', 'Ek8GSAOvX8', 'cGPGReH365', 'qmeGKBaSlW', 'Vi6GkwAJZo', 'PcIGawn0AA'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, oGveZOyMlF7Wmfnk5q.cs	High entropy of concatenated method names: 'XZolW08VxA', 'vm2li2oJCJ', 't8glrNcoiC', 'z45lyvr7ZX', 'edllmPV6pE', 'vljlXpmCBX', 'YyAl5j15pN', 'S4QlT5WJYq', 'UsUl1NahBO', 'OVDlVrRdMf'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, ThOeDS6RbriN9G15Xes.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'RBQO1ZLOES', 'QrwOVsrmId', 'JGdOGu0Pk0', 'OExOOQ3UTX', 'SZVOBSc8BP', 'K2nOYGI15b', 'pa4OAtXOhW'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, DHhNtJtiKM5PNNtWng.cs	High entropy of concatenated method names: 'FI9ZnX2SVC', 'RdeZjgwWQV', 'mn7ZfUyy5g', 'zSNZWxSQwJ', 'E6mZQ2vvV3', 'ljFZiLELW6', 'kKPZMjBdvr', 'PdRZrOCuN3', 'o9aZyPvGvP', 'Wq4ZwCM5b3'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, TLqn2AqeS8BW1bfnCj.cs	High entropy of concatenated method names: 'SZFfKLwhy', 'HkZWeICnu', 'Qg7iDi2op', 'HlhMUmCh2', 'TSoy7RA6k', 'JdAwouvqs', 'nOcvWUiyGZmsfILASh', 'CRTn9kKvPfyNneDjnd', 'DXOTFWMrn', 'Tm4VppxPC'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, jH01Y3anKOVrv2OXBq.cs	High entropy of concatenated method names: 'Dispose', 'vTU6cxX3Hk', 'uiuq3cv76n', 'G3OHXsWkC1', 'Ypm6UcVoLH', 'ajB6zo7FRf', 'ProcessDialogKey', 'JhOq9rsMZ2', 'mSJq69XwSD', 'JI4qqMWnc8'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, xJIhMmDpyC2hAaLxwH.cs	High entropy of concatenated method names: 'jEh505yoGE', 'CgR5U6gr7d', 'sElT9nph3r', 'LGKT6W4Zgx', 'vGV5uIK8OV', 'guv5PtyPAN', 'k705bqDA11', 'vlC5NCdOO7', 'ggN5vRb1TV', 'cpa5dB1fjV'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, zmU5FIgmLdGhrZQlFb.cs	High entropy of concatenated method names: 'UHKSKhT5aM', 'ywrSk65jqd', 'y4ySaHc23J', 'YQkSl7xCHL', 'SNFSFHTTKE', 'iy3SpP0xik', 'JnDSZKiIIh', 'tr8SgjaNYH', 'N5ISxnfLhV', 'qsWS25KUho'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, bTm2fKNJAYn3ao8Ybp.cs	High entropy of concatenated method names: 'dcnmJ6EbEe', 'UcomP5mcYs', 'eL1mNbo018', 'ufAmvXZ6k7', 'ekEm3h99iR', 'WWYmCf7CGr', 'cf8m8uX68Y', 'J6OmsMPNf6', 'Y1cm4kjbg8', 'b6Bmoi3irG'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, zkExntwj3fh3rmQvEX.cs	High entropy of concatenated method names: 'ygxFQXJuGW', 'BTnFMEDkfl', 'LTJlC2T0TM', 'Bltl8K1gd7', 'u58ls0p30V', 'svdl4tP4W1', 'MEelofuIww', 'dJ6lL5FF7a', 'uOultemY0b', 'm8WlJbE1ro'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, x5EQEoRQwIPJnTM3WR.cs	High entropy of concatenated method names: 'mAK6Zsm7c4', 'UQ66g5qcbA', 'uMl62F7Wmf', 'xk56IqfkEx', 'oQv6mEX4nq', 'Gfn6XwmqWq', 'eH8RrFxdmF01EaF8uHN', 'vuK8WCxscLqiXhuRTAy', 'yG7OctxxYDQJXYNTJbj', 'c9W663Pnlg'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, h67S0PovqCM89d3vOE.cs	High entropy of concatenated method names: 'waEZkC4Aaa', 'iD8ZlQ0UUn', 'oA0ZpWnjvS', 'fBwpU3KLus', 'xvBpzwuLgy', 'xyLZ9B91Vo', 'zPWZ6Hqbd4', 'xWjZqJQcyv', 'R9XZSWXJ0A', 'NuBZRHx9NP'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, ursMZ2c2SJ9XwSD8I4.cs	High entropy of concatenated method names: 'aig1hlaHVG', 'RIx13H145w', 'Hs31CQSYk9', 'XRg18SeH6K', 'yMf1sUj8LP', 'SxS14n3mTZ', 'Ffi1oOksS5', 'BCv1Lq5C5s', 'rGK1t1dQra', 'Fyh1JBc1J6'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, bwB336b5U02x5HXFqT.cs	High entropy of concatenated method names: 'a6ZHr6Hicl', 'VVLHyFDNaZ', 'EasHhS5u7c', 'NAsH3vcpp5', 'ngFH8lHKZL', 'AdBHsg78l5', 'tj1HoMRU3W', 'nPCHL88Llp', 'CcfHJw11qF', 'eN3Hul8ZNh'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, PoiHCbzJ0khjXCspH2.cs	High entropy of concatenated method names: 'Y5wVibF0od', 'UoyVrpt3j9', 'DNAVyiIqS1', 'A7FVhYi3ex', 'JdDV3SGAKQ', 'tQuV8uhid4', 'YukVsQX4e7', 'M73VAwdVSE', 'dDGVneZGK9', 'XxrVjDgPMO'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, cA11Ya69s7mB2CsdBFk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'va7Vujc8r1', 'rHIVPafxsV', 'SvnVbvcI5J', 'v6dVNolh3i', 't4sVvetGYD', 'PTOVdStlaQ', 'FMrVeVcrSS'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, y8nkrNdr4iI94pbq5c.cs	High entropy of concatenated method names: 'ToString', 'ENNXuTID44', 'M8hX3Zctjo', 'PpmXCdhJvw', 'vjpX8UkyiR', 'nRYXshhSBi', 'c8aX4VCMjN', 'Q36XoPq727', 'bC4XL7VO8U', 'eHGXtgZQhr'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, CWnc8jUOkBX0SqsqfO.cs	High entropy of concatenated method names: 'IFDVl09LWx', 'KcXVFBmTlc', 'IwoVpLGBhv', 'ENgVZEA0dt', 'sqLV1sekZQ', 'TeTVgIpYg6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, Knq3fnhwmqWqVswW2C.cs	High entropy of concatenated method names: 'YSJpK2mUno', 'Od2pat6DG7', 'rMXpFH6aTZ', 'dt0pZVaHBv', 'wZTpgi4V6l', 'sesF7O4Wml', 'C1OFDr5HwJ', 'QWBFE1Xnwb', 'UthF0pf2Kd', 'XbgFcwLghv'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, MYkrOxEW6BTUxX3HkU.cs	High entropy of concatenated method names: 'uE31mY81gf', 'Mc4152ju30', 'PDe1168xpE', 'TdE1G7Csr7', 'swx1BpqcYf', 'Snf1ABgUbK', 'Dispose', 'KE5TkTvKZ1', 'hA1TamjRXo', 'KGyTljYqCS'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, esm7c4r7Q65qcbAH55.cs	High entropy of concatenated method names: 'pvqaNFT7em', 'djPav0vsRN', 'ap2adL1hws', 'sK1ae7EvkM', 'Htpa7EIXZX', 'R50aDxhUCf', 'qtFaE2rr0y', 'GJea0B3P4F', 'avEacCZlan', 'fy2aUaJjJ4'
Source: 0.2.PO.exe.ad80000.9.raw.unpack, v9iWcF66S6BeWFdaee3.cs	High entropy of concatenated method names: 'lIdVUhQwvC', 'f5qVzTWwEW', 'WtnG9LAIEa', 'MM5G62qYDI', 'GxUGq02PbV', 'Ek8GSAOvX8', 'cGPGReH365', 'qmeGKBaSlW', 'Vi6GkwAJZo', 'PcIGawn0AA'

Source: C:\Users\user\Desktop\PO.exe	File created: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sootiest	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sootiest	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sootiest	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce sootiest	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO.exe PID: 2940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lEIbxztPTKpOpY.exe PID: 5812, type: MEMORYSTR

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk

Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 18F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 5380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 8100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 9100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: 92B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: A2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: BE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory allocated: CE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 7450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 8450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 85E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: 95E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: A150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 26B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 960000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 26E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Memory allocated: 2400000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7695	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7901	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 1237	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 1067

Source: C:\Users\user\Desktop\PO.exe TID: 4032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3480	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3832	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe TID: 1608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe TID: 7796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe TID: 7980	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates	Jump to behavior

Source: WebData.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: WebData.9.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: WebData.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: WebData.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: WebData.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: WebData.9.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WebData.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: WebData.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Q>
Source: WebData.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: WebData.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: WebData.9.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: WebData.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: WebData.9.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: lEIbxztPTKpOpY.exe, 0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmtools
Source: WebData.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: WebData.9.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: WebData.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: WebData.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: WebData.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: WebData.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\PO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 448000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BDA008	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:34]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:40<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:12]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:47]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:18]<<Program Manager>>h
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:03:42]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:36]<<Program Manager>>}
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:56]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager.exel
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:11]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, KeyDataxvXGxqSs.txt.9.dr	Binary or memory string: [10:03:33]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:02<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:22]<<Program Manager>>]<<
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:45]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:07]<<Program Manager>>8
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:46]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:21]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:26]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :57]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:48]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:34]<<Program Manager>>j
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:04]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:13]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:25]<<Program Manager>>anageM
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:41]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:08]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735423455.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:25]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:31]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:59]<<Program Managerb.style.top="-10000px";b.style.zIndex="-10000";return b};function Ma(a){this.h=R(a)}n(Ma,T);function lb(a){this.h=R(a)}n(lb,T);var mb=Qa(lb);function nb(a){a=Na(a,4)\|\|"";if(void 0===U){var b=null;var c=p.trustedTypes;if(c&&c.createPolicy){try{b=c.createPolicy("goog#html",{createHTML:q,createScript:q,createScriptURL:q})}catch(d){p.console&&p.console.error(d.message)}U=b}else U=b}a=(b=U)?b.createScriptURL(a):a;return new V(a,Ta)};function ob(a,b){this.m=a;this.o=new Wa(a.document);this.g=b;this.j=S(this.g,1);this.u=nb(La(this.g,2));this.i=!1;b=nb(La(this.g,13));this.l=new db(a.document,b,S(this.g,12))}ob.prototype.start=function(){pb(this)};
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:49]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:32]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :40]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:25<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735423455.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:23]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42]<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:28]<<Program Manager>>ogU
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:30]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:14]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:57]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:46]<<Pr10:01:46]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:58]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:15]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:06]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:22]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:16]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:05]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:40]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :02:22]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:14]<<Program Manager>>tag('confi
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0:02:11]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:29]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:40]<<Program Manager>>{
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:28]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernknit.com"er
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>>;
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:06]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:38]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1:45]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:12]<<Program Manager>>2A6676\
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0:03:34]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:13]<<Program Manager>>Hz
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:11]<<Program Manager>>K
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:41]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:03]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:07]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :22]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:42]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:39]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:38]<<Program Manager>f
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:04]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:17]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :18]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:02:22]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:33]<<Program Manager>>V
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>>a
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 02:12]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:09]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:19]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:03:35]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:02]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:02]<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:35]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:18]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:10]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:36]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:40]<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:43]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:01]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:44]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:31]<<Program Manager>>X
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:01:46]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:01:46]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:37]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:27]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42]<<Program Manager>> Ma[[
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0:02:13]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:17]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:59]<<Program Manager>>>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:23]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:36]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:58]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:45]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :48]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:57]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:22]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:00]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:12]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:55]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:09]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:32]<<Program Manager>>gram
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:33]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:34]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:20]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:03:40]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0:02:15]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:46]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:01]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:47]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42]<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:30]<<Program Manager>>9
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FC:\Users\user\AppData\Local\Adobe10:01:44]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:03:37]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:11]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:59]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:15]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:24]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:30]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2:15]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:03:27]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:14]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:25]<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:07]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:38]<<Program Manager>>es00
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:02]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:21]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:11]<<Program Manager>W
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:03:42]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:48]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:05]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernknit.com"
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:13]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:40]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 02:14]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageroard.com"erC
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:32]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:13]<<Program Manager>G
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>>>h
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:31]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:49]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:15]<<Program Manager>>b
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:31]<<Program Manager>>nager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:51]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:34]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:02:13]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: <Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:39]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2:11]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:15]<<Program Manager>>HW
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:12]<<Program Manager>>sersc
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 14]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :01:45]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:30]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, KeyDataljApwsJW.txt.9.dr	Binary or memory string: [10:03:27]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:03:37]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:15]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:14]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10:02:14]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :30]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:02:14]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:25]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerogram Manager
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:59]<<Program Manager>>0
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:11]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: :44]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:50]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, KeyDataljApwsJW.txt.9.dr, KeyDataMCkyDBpp.txt.9.dr	Binary or memory string: [10:03:26]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:38]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:41]<<Program Manager>>*
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:01:44]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:37]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000D2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>>!cK #
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:22]<<Program Manager
Source: RegSvcs.exe, 00000010.00000002.2729932170.0000000000CF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 12]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:29]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [0:03:40]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:39]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:54]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2:13]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:52]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:35]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2731539200.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:10]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:53]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:41]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 03:01]<<Program Manager>>:4
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:43]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2735659514.0000000003E20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:42]<<Program Manager>
Source: RegSvcs.exe, 00000010.00000002.2731539200.0000000000D63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:39]<<Program Manager>>:
Source: RegSvcs.exe, 00000010.00000002.2735503043.0000000003DE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2734470016.0000000003FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:02:36]<<Program Manager>>
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:40]<<Program Manager>
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000CE3000.00000004.00000020.00020000.00000000.sdmp, KeyDatabqSzIMai.txt.9.dr	Binary or memory string: [10:03:28]<<Program Manager>>
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [10:03:39]<<Program Manager

Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BYIMNPJCRL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BYIMNPJCRL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MSTILBICVO.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MSTILBICVO.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\OOJWCGHFZE.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\OOJWCGHFZE.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PALRGUCVEH.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PALRGUCVEH.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.xlsx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.docx VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Queries volume information: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BYIMNPJCRL.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BYIMNPJCRL.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MSTILBICVO.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MSTILBICVO.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\OOJWCGHFZE.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\OOJWCGHFZE.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.xlsx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.docx VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.45af2e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.514bc44.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.50d9c24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4565a08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4794728.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5090348.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5102368.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4794728.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5102368.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5090348.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.50d9c24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.45af2e4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.514bc44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4565a08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 2940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lEIbxztPTKpOpY.exe PID: 5812, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `C:\Users\user\AppData\Roaming\Electrum\wallets?
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbE7o
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodu
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bC:\Users\user\AppData\Roaming\Ethereum\keystorex\
Source: RegSvcs.exe, 00000009.00000002.2734470016.0000000003FE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodu
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bC:\Users\user\AppData\Roaming\Ethereum\keystorex\
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: jC:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: RegSvcs.exe, 00000010.00000002.2734976130.0000000003D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: jC:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: RegSvcs.exe, 00000009.00000002.2729957621.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bC:\Users\user\AppData\Roaming\Ethereum\keystorex\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.45af2e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.514bc44.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.50d9c24.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4565a08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4794728.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5090348.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5102368.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4794728.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5102368.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.5090348.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.50d9c24.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.45af2e4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.514bc44.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.lEIbxztPTKpOpY.exe.4565a08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 2940, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lEIbxztPTKpOpY.exe PID: 5812, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	111 Windows Management Instrumentation	1 Scheduled Task/Job	312 Process Injection	1 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	3 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO.exe	62%	Virustotal		Browse
PO.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe	71%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Name	IP	Active	Malicious	Antivirus Detection	Reputation
showip.net	162.55.60.2	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://crt.cy	PO.exe, 00000000.00000002.1562844855.000000000776B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1	RegSvcs.exe, 00000009.00000002.2729957621.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000000.00000002.1556388708.00000000033CE000.00000004.00000800.00020000.00000000.sdmp, lEIbxztPTKpOpY.exe, 0000000A.00000002.1630732232.0000000002C69000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO.exe, lEIbxztPTKpOpY.exe.0.dr	false	high
http://showip.net/	RegSvcs.exe, 00000010.00000002.2729932170.0000000000D03000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.55.60.2	showip.net	United States		35893	ACPCA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578874
Start date and time:	2024-12-20 16:00:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/78@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 113 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 5608 because it is empty
Execution Graph export aborted for target fretsaw.exe, PID 7732 because it is empty
Execution Graph export aborted for target fretsaw.exe, PID 7924 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:01:39	API Interceptor	2x Sleep call for process: PO.exe modified
10:01:44	API Interceptor	33x Sleep call for process: powershell.exe modified
10:01:47	API Interceptor	2x Sleep call for process: lEIbxztPTKpOpY.exe modified
10:02:30	API Interceptor	19220x Sleep call for process: RegSvcs.exe modified
16:01:45	Task Scheduler	Run new task: lEIbxztPTKpOpY path: C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
16:02:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce sootiest C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe
16:02:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce sootiest C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.55.60.2	UToB1WBfv0.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	AGrsqxaSjd.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Factura modificada____678979879.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	Pago SEPA.pdf.exe	Get hash	malicious	GuLoader	Browse	showip.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
showip.net	UToB1WBfv0.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	AGrsqxaSjd.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Factura modificada____678979879.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Pago SEPA.pdf.exe	Get hash	malicious	GuLoader	Browse	162.55.60.2

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	arm7.elf	Get hash	malicious	Mirai	Browse	162.52.209.73
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	162.0.91.206
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	162.49.112.150
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	162.32.239.127
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	162.0.252.21
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	162.8.38.13
	https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.za	Get hash	malicious	HTMLPhisher	Browse	162.55.133.190
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse	162.20.0.142
	236236236.elf	Get hash	malicious	Unknown	Browse	162.0.209.133
	arm5.elf	Get hash	malicious	Unknown	Browse	162.54.91.0

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe	Statement 2024-11-29 (K07234).exe	Get hash	malicious	AgentTesla	Browse
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	AWB#150332.exe	Get hash	malicious	AgentTesla	Browse
	SOA_9828392091.exe	Get hash	malicious	AgentTesla	Browse
	ngPebbPhbp.exe	Get hash	malicious	RHADAMANTHYS	Browse
	Pi648je050.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	shipping documents.exe	Get hash	malicious	AgentTesla	Browse
	Termination_List_November_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fretsaw.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lEIbxztPTKpOpY.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:tLHxvIIwLgZ2KRHWLOug8s
MD5:	AAC9B2CC385B2595E11AAF60C4652279
SHA1:	5F14BE9EC829371BFAC9DDBF97BF156C13E03341
SHA-256:	0C17939EA24BBFE7F727AFB0FABC5BAFC8F2A8A5218BC9B2A7580A54B510EC84
SHA-512:	3BC9F81C7C9FD417B7F486550EBBE95CF4BA5408E013AB11FA54400F49DB8ACDAD5EE28C95278DACF62E6FDB30071D193EED741616C91E48F9A2ADC92EAAB257
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\QHa07500

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	18279
Entropy (8bit):	7.835859168741385
Encrypted:	false
SSDEEP:	384:lUDIQUDIv727cLD2zaZWZR9M9zPtQXUtiE+l/E+lygnJ:CI72SRCdyUtmjZJ
MD5:	8CD9A0C0B2F9D85684F8FD51799ABA2D
SHA1:	D5CF88AD573F53629666B259C932C7B0B5518AD4
SHA-256:	3ACB994EBBADF276BE270B062A49273E45C3CBF15EF5409FCA95303CDF4AACDA
SHA-512:	A48914861C4291B00B9E1F04A47A9B4E074673251F6D17EED4B30001C45246C7DAB08543DFA190A991B1D8110FE22A6902A2FE56531C5201BAE043692A90350B
Malicious:	false
Preview:	PK..........EW..............Files/BYIMNPJCRL.xlsx.SIr.!.....w.A...?$......8.\|5..J.....EO..A.o.,=.t....=C...c:.g.;\.!}.4/u.8..8 ...a.......d.O...1E.QZ...)..h../.c.\|.l0#.n:.6..aI....P..e......fM...].M.u..q......J.WN..:.'...z.V.R.i..w?Z.........-.!...vs..Srm.U....#.)7.{../.....-c.C....C7.Np..)u.m.a...N.L.P....K.....P.......-4Y........b.......Y?.u.Z....4....3..Iovv7.pWw.....:.2yW.m.)`...tM.^~\WP......#.a6.W.s.....Q.!t...<O..~....,:.r.Z=.q.....>......W..>f].Q.3.5z^..y.EaF....a;E.C......"..<...$..w..:...]I.2l~.'..&.5.G\|}h{=...)...i...6.V;.s..+..&%->...<}N._e.q.\|U[[..6.....H.....'w...T=..f.:.,WE..1.9..+H&.^w~....!\{7....Q/2.u..d...N.[i....<..pM./.V....PK..........EW7.f.............Files/DUKNXICOZT.pdf..G.E!.E.]....Y.L._H;...h.e{..]jz...'..V...SM...\|;.r....D...wf.wai....-8.....eL.....z.....K..!5.g9Kak.c.2...nd....C.......B.....3.zOKs)...A..<S1.D.o<......T..dt......2w.1l..8./.-....Rh..$q..f..`.(.\w...*t\|....im\|.n.....Y.d..Ew..J.Z35..o

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24owcl2c.zph.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c12e13jh.ooi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egxry0tt.m0v.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eogkb02z.5ao.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guip01pu.5t4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syzwyslv.bay.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_torplt2j.obk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcwu3dh4.tfg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp776.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.11897105762149
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtVKxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	34B027F8EAB8B70C94CBC78DC7EEA173
SHA1:	02750D694EF8DF66F009B808856D3B908982CED2
SHA-256:	E2E40183A7A0488E04CD66A285ACD5959290F18ADC8ABCDDE8705C2CEC0EF609
SHA-512:	58841673EA11A2A9885DA3DD788882BEFCC5B42D093C7DD960CDE02EADD41FB36BFD33B90C01013B4993EF5DE1F3C09C6665FB5E901F231FA079A76E585B91D0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpEB05.tmp

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.11897105762149
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtVKxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTAv
MD5:	34B027F8EAB8B70C94CBC78DC7EEA173
SHA1:	02750D694EF8DF66F009B808856D3B908982CED2
SHA-256:	E2E40183A7A0488E04CD66A285ACD5959290F18ADC8ABCDDE8705C2CEC0EF609
SHA-512:	58841673EA11A2A9885DA3DD788882BEFCC5B42D093C7DD960CDE02EADD41FB36BFD33B90C01013B4993EF5DE1F3C09C6665FB5E901F231FA079A76E585B91D0
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\~DFA071F09DFE8A53BE.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.5112384923071773
Encrypted:	false
SSDEEP:	12:rl3lKFQCb77a3X0NFInqAn2FInqAn2FInXDXv:rzDjDjTX
MD5:	3A021D8E526ED63D134D3C3C0C2AE286
SHA1:	4BBA3D59EDC028F0481128A4CF9B89B2DF212D9E
SHA-256:	3E3AF783379411C18854D3FE78DE530B95662ACCD201F6BC4DBD06CF2F4C4FC4
SHA-512:	6ECF1B0DA5204E5AA96F932B1D038DB49ABBCAFAAEEFDE92484AD12DB9E8F9E44E494ADC754A07457824DE5E6C972E2DD628791E6C9A3F1A3236D30BE7FB1345
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD0D2D159E9FCBF49.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.5112384923071773
Encrypted:	false
SSDEEP:	12:rl3lKFQCb77a3X0NFInqAn2FInqAn2FInXDXv:rzDjDjTX
MD5:	3A021D8E526ED63D134D3C3C0C2AE286
SHA1:	4BBA3D59EDC028F0481128A4CF9B89B2DF212D9E
SHA-256:	3E3AF783379411C18854D3FE78DE530B95662ACCD201F6BC4DBD06CF2F4C4FC4
SHA-512:	6ECF1B0DA5204E5AA96F932B1D038DB49ABBCAFAAEEFDE92484AD12DB9E8F9E44E494ADC754A07457824DE5E6C972E2DD628791E6C9A3F1A3236D30BE7FB1345
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Zip archive data (empty)
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.4575187496394222
Encrypted:	false
SSDEEP:	3:pjt/lC:NtU
MD5:	98A833E15D18697E8E56CDAFB0642647
SHA1:	E5F94D969899646A3D4635F28A7CD9DD69705887
SHA-256:	FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
SHA-512:	C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
Malicious:	false
Preview:	PK......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF6eb2be.TMP (copy)

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Zip archive data (empty)
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.4575187496394222
Encrypted:	false
SSDEEP:	3:pjt/lC:NtU
MD5:	98A833E15D18697E8E56CDAFB0642647
SHA1:	E5F94D969899646A3D4635F28A7CD9DD69705887
SHA-256:	FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
SHA-512:	C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
Malicious:	false
Preview:	PK......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF6ed00a.TMP (copy)

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Zip archive data (empty)
Category:	dropped
Size (bytes):	24
Entropy (8bit):	1.4575187496394222
Encrypted:	false
SSDEEP:	3:pjt/lC:NtU
MD5:	98A833E15D18697E8E56CDAFB0642647
SHA1:	E5F94D969899646A3D4635F28A7CD9DD69705887
SHA-256:	FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
SHA-512:	C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
Malicious:	false
Preview:	PK......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BYIMNPJCRL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696849723934257
Encrypted:	false
SSDEEP:	24:9XS3L9Z9achquy916X7oC9YYukwxDMvS7zwUzl9waqHG:hSb9Z9achACukw9Ma73KHG
MD5:	69842C9599BCE04D8727DF49107BEA31
SHA1:	C048464364668A13DD84EAC5E9B765A1D1B00D7A
SHA-256:	32C7FA5D55D3658A65B08F42FEE16884DC5EA6457AB3E6AC50995BC815377134
SHA-512:	AA0DFA923086A78927024585571D55EAA18D7C3C907A80B5DB82396769599717619B1125973479DC848ED352447C6114EB8460B8125F6C47486290884FE26480
Malicious:	false
Preview:	BYIMNPJCRLRBMQEEEUFHTSTCVFQEABUOILZJXSTRKVJYXTSCICYXTUCYTBORUVFEXVHXXHZLPHJNYDQGTPVLWILVQNCPUYBTSIQLWUERWREMYABMDZZQTVDNTDDHAGUUVTCTOOJWFEHSBVTOXXUQRGZNKAYEATNKOEHDUHBLXOYGPQDCOFLMJTHQSYDSBPDURESTXHCQMZBOOMLDWVLKZNKZWNZJSKCJVOCLVGIKQVRJDVKWMRZZTYMEJZFGSYHHXFIVOVJRITSASFJMXNDQBLTKXRYCCLEPTRWCBSLWQQGIZLHEMWQLBCXIJLRDZVGBDMKPQCSAJHPDMQCONOLPJKQSXXWKXLWGWFLLNMOMWBJEMUURYOXEPKNSYCCDIBYHFEDOGZJJRSRKSEMLUDJXBZKLOYRGSOIOLAQQGOKRCRGRTJLWRORHIWNHMGGIWOMOTUTBZAJWLDKALGXBHMLHYLYFZMDYBGWJNWGFVHKCBLXCJPCCAPBVNXOULSIAXANDUOFOTRQEVRFUWUFZCRTHLJQLYEGBPFFBTVSXPLLXDZYMBEAYTIBROCPJVZZSUDJWHANFEHHFHWNIBUHZUDXOLNPGFFLXTLGFZMCQYAGSBHRBITQCSUSVYIHHPNSIDTAQFELFTVTYPAWRKKUYJGRHBOBKCYSQKYEHBXDBGGWIPSQQCYDWZSIIAMYULFQOWVLCWSKUUWOHVIFAGEZJFLQYMCPCCBYXRGJOIZQIOIXSSUJSAMFTHHTCZWSIBUVVURBKAFKXSFMJOWKBXSGIZJARBEJSEPITNOSZGHQXWXOUAERJHEXAIAIJXJBCXQVJCAXHQYYJOOVFEZBKSDJJCTGJPWBAITTSUDYIKNPSTBUYHBNPCEEMIBYEKTOBEZFPKIONTMHFMSRYEGQBWJVYZOPGLWXFVPHCHOVMZAIDRTGJPBLDKIATOXKOSRGCRSMGGORALNTMZEZXSDRSQYSYAIOLFOYGEVJDRGTSRFAUZPOU

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\DUKNXICOZT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694015263253693
Encrypted:	false
SSDEEP:	24:pE8hRSoFxFv2tFu66PaDs7Wya/4QEssgd8uS:pE8nSoFxFvaCgoWc/gd8L
MD5:	CA67F06C14A077335756DA58259702DC
SHA1:	38A16C7089B83C544B5A58A1A91EE36AB2EE7F38
SHA-256:	6EDC691DABB9C6D794637CB2149341BB454C0490C01BBEF92C3BD48BB86B2329
SHA-512:	1754DE4F4BAC84BD0D0E605157AEFD00599B1641042A3F77AEA16614FE595B7090595C982C1679D910C20A2BF53936BAB648FF31C2CF82F3F9AD985D22EA14E8
Malicious:	false
Preview:	DUKNXICOZTGLPDSRRQNKVCEQUFBSMCGTLOLLPKYXLUAXKQNZYDHXTQPNHHFHJTMIGEVVJMXNTUPFEQSTIPWCYHGFUQMXUYJBEEKJNRRCNFODXCAMAXLAZTIQUNTNPGERBSYITUYWBHPPZHKLUNSGUFMHVRZKTGCTKCZZJDJJKZRDBOFQSLPJQVAUHFJGITHWOZYPLVWBUXHBXXXJUCPJMVLNEPNKDIZKYGMCDARTHGXLNZDXRLUSQRQMRUGCFVVHERGNVXKXGPTCXBJJSYOTZHCRWDCIILVDANNRVWIHRUKXNEWVKZLEBJFPCBFWGQGWGNAHYWNRYILMVTJYSQGDDEIOTQFNFCPBIFXMUECMBHHGKFHGYAPHBDYRWVLPTNZQXENCWRMKRIQEHFZXOHUQUMEVRRXBUGYMSBZKQNTNXORTCHQQTODUBHKLIIDLWFSVAULMVBXACHFRLSBSAGSWTRHIIZFLUSWOCTUGDAHTWKZBYIVQRRYRKRAUTQQLIUHDWFKYDUVNGBMEZUTAFTTKYLQLJJTEVOLXVXBJATRZJRTOISUFLOLZCIBSUKLPDJXJBNUXCGPOLEGGOYZSOMTIWZMXNMUQTDLWGLIFCOJBEBCJQCSUDSWMKJERKRVNPKGTBPKKHLFCUULARSYSMUUYOBVXGHJPZEQKZTIWHIOQYDFCLYHJZKEDUCRZKCLMBUTIQDOHZOSLLXZMPKRTSVSHOIOGCLWGQOYRPDVACEIULCNRQDMRTSTZBWQMCLPDYWEXUCNSMFNSLTBNUAJKDHOPGLEHJPRKNWCKRZSOJXBNVSNBJBRTNVXHVKISJRPDYQBKOXYGOTQXOJKNGSOSFTFSIVNPFOAYLIRBSAREFWQPLONYPUBHJPFGRFFPXAQEEPWYSTOTGMJMHXBQMNEWRCBJRORHQBKISQFFCDYLOWZILZFBCXTYETKBEANFDVZBQHUOSIHHQTXPKVPTCPOPJEEGGSIDPOLYQHTCFCAHOXRL

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EFOYFBOLXA.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GIGIYTFFYT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GLTYDMDUST.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69569301223482
Encrypted:	false
SSDEEP:	24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
MD5:	CA404BEA65D84F58838AF73B2DC67E02
SHA1:	56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
SHA-256:	4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
SHA-512:	10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
Malicious:	false
Preview:	GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MSTILBICVO.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.693751145140717
Encrypted:	false
SSDEEP:	24:sJ16lj9I+47WMiYc5DnrII4xxWX3CcQuYt0HyW8+:v9nT5rII4KyclA09
MD5:	470DE909CB8D8A8B41776A76A63C260F
SHA1:	2B3F59B83102676C8EFECE8494CD0313C112E171
SHA-256:	73C1BCD3CD09FBAEC1F4636D563F48C9913FC6A42B76600879E151D13C39776B
SHA-512:	94EC753E2390399A8C21AFBBBDDFCCFE0A0DAFA3B2BC25986FB027FB3F528C749BC5F43270E2AE6AF2C1B783F4972CF836C2E5CE2EC2841B5CFDE6EB734913DD
Malicious:	false
Preview:	MSTILBICVOAVMGDSHEVHWINWZZEBBJQGIMZQBIREQDCCJPVJXBDUWRBEQLPFDIOCELVKWUABASIBUKLLEZOEAIQVDZOGRMTGRYFEYWBUXRXCQTOKNVUBEUCJWEKHHHYBFUETIFNEEIKXACTGHVKLQVCBHOFOMNBKWZSOTMTTWRGRYMYYWXNRBNCCVWVBORBNOXGIYPKVCNCBFIMJHPEMFNUZJIPUOLQAYBAMBVTGEQQQEXTAJTYRZIVXCAPFDVBTKRAZDZTKWAGGWQRMDKHQYOAMTUMSXNVZMUXVHJYBTDLHMZKHVFYRLAXYBCCGPUKXJIGXCXHGCZMUWPBTLXRTFKKMARUCEDSUZSDWQMFHUMQHUXVGZBIFKGZUJUXYICCCCAAATYUYYAIBVHBCEBKFMUQVTBCYVYPYMMLEWMRQZJGFGKVJQQCKCJTHUNKTTMICYJCXLSJLVQMMEMMSLRULFUOFTTZDGHEDDKRNKNYCLNBVLVHOFVJLJEBXTOOLGBWGAWORZFYUNDVYMIVUPOIUGRHANHQAKFHKXIUWNTYRJUSNEFOBIPHMLOSJLXTFBHKPUYZKTCQRVYGAQDRXXOGMWKFQWMDNQPUXDSGIZQYGWQJLHWVXWPWJOTOKRUBYBHHJLJOJSVBRECMOVDVBECPAKAMSFNKAGKXHETSFMMKLIIBMOBUANYYKBIRYQERLFGGMKAGYRSZTZPPQKLCTBUCWVIVQXHAOTFLYBLFTTJVZGTFBDATSPXHSVKYEOOREFSJSCYQFNLCZOZVAWSFSTRAPOXLEWAAYBDYUOIGVUWHVENYTNHGAFOYZBEXCEELWCDNHMIJAQWSGMNYHFSAYTBIFISKSZXJABJNHATKXSFBUQHBGPVNJUIQGKSFAJFTJDVFRUAYINECEJVTSJUBAIZMWAWBHSOICPEFZWABJIPYSIEWHYTWEYIGFKHYBKCJDISOUJWRXLONVUVNWWZJWLRDMLMXHDSRDITMRJYLIBNIN

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\OOJWCGHFZE.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696658693841717
Encrypted:	false
SSDEEP:	24:3MdIzLOg7SRKnk/cq8LUPYkwD7V07An1JLnjzXUPxLPu2k:3MILOg7SRKnqc5LU5oJ07A1JLnjzEBa
MD5:	61FF9363393269AD641F7DD8C14B5456
SHA1:	27855AC1499F6627BEB4D32C7DC77938A30F6B93
SHA-256:	5C4C4BA12F53DFAFD9ABBB44B9B6D42659217438CFE3C6710A2EAC3F2BBFAB2C
SHA-512:	636A83074F9C57EB8A5E8B2C17BAF1A60991B708F66E2E9BDCE70BF794E0D739849D4F6869EE3B45E529F9475BD8564AE66323FF0BCD06F4FA6FA213B0797C55
Malicious:	false
Preview:	OOJWCGHFZEYSVZSAVMGYFBZRQQVSPNKBSTFPIOXXACNWRXKBHEDWMUIFWAWPQFWWAYZBICXUMMZCLEUMDPYVPQRXQHCCBBIMLEYUCJTVIVHFVVALUDEUETBIGNGUYMTGFEFTYJDSOYIAGMAQACYHUALMXJEFLZIDJYQFYVMBLVJNYNVGMNZJNSUVMBGBYVXPDEWEGTGCOCELIMUCEYVSVRJNWAVFEDEKEFNKTYJYNMAIYMYUVCPQJCFORLEBTNEKVJQRKILYXNBOBHMHUQTFGWEZPTHSMKTNLWSHZRUKDCAMLMWJCBANNXSWEWWXNSKAVUXCXGWNJJSPEPOEOBEKQUUWBMBZHFOPPRYHDWPNLHYGQQAZMBKWTAOWYOLVGFETIBSZPNVKJZCVZHBLSVXXEZZZLOCAQBFRQRVLVLPOOKQLFZGMLSNUTBQWYKFAXKVUVDUHDHXUHXXLOJYSHSJSCDCSKSTRRIPKJTBSLGIRCVKDCTBNPMZMOCYWVVNCFLJOJAJXVTJNCACZLKULPCEQNVJXNHDCWDSASISDDFXERTWELSGCJXIPLIRYDNQBUUOQBDXNWXADWLFOUDJHYDMOKSFNWWDJZFNTEXZUQRTGGDNGSTMLLNHJWRRQKMWNHWVIYWOUQTPCIYXQLYYJUIUPPKXQQSYLIAYGNMUUJTVHNEKUJEWBEGNESVSMTMPBREMJMHBDPPODBEINHWXDHWVYNWSVOLHAZPSGKPFGELKZREADIJXSJHADRPPBSICVJDYZYWRQHOCWRXHZMHTFJEUDQDLLIAMFGRBMNAFOWVKHIQEMMHBAEDJDWLLCHLNMHVWRQOKFAJIUONMFXMFHYYZUMJXSEDOCEDACVHVOCVDSGVNGXXLLQDXUWIIWAIHTXOXJTBSWVOKBYKVWKJUWYNFPWJPCDFHBRUIEEGNVETOEPLBLCMJLVKSRMJYTXYKQZFYSEOZJRYLRBKWLTVQNZOSNCFWFBSDCCDRGPMCIKAWU

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PALRGUCVEH.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.685942106278079
Encrypted:	false
SSDEEP:	24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
MD5:	3F6896A097F6B0AE6A2BF3826C813DFC
SHA1:	951214AB37DEA766005DD981B0B3D61F936B035B
SHA-256:	E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
SHA-512:	C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
Malicious:	false
Preview:	PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6969712158039245
Encrypted:	false
SSDEEP:	24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
MD5:	31CD00400A977C512B9F1AF51F2A5F90
SHA1:	3A6B9ED88BD73091D5685A51CB4C8870315C4A81
SHA-256:	E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
SHA-512:	0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
Malicious:	false
Preview:	PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SNIPGPPREP.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SQSJKEBWDT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataARgQJkBs.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.294906132253986
Encrypted:	false
SSDEEP:	6:tMlZdp+Zdp+Zdp+Zdp+ZdpFQZFQZFQZFQZFQZFQZx:tMDdpmdpmdpmdpmdpccccccx
MD5:	039E4F522951045C1E3FE6F516CFEA4A
SHA1:	A0DCE1E6879D2E5884658798ED9D4C86FDEB9B05
SHA-256:	24236BE5982BBF7DB148D9AC663AA8F44AE1973D98B607468B35E416D625FB26
SHA-512:	53E60549FB3F5FF25CDBFDDCEC0935B73ED37C459D931CB2D3DA56B48916335CBE63A930121A7D41EB08E5EEA360F433D97E1DBF09C5F7C3F806F24EC91133B5
Malicious:	false
Preview:	..[10:03:39]<<Program Manager>>....[10:03:39]<<Program Manager>>....[10:03:39]<<Program Manager>>....[10:03:39]<<Program Manager>>....[10:03:39]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDYRtXGKK.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.2756809657379415
Encrypted:	false
SSDEEP:	3:tMf8qdpE41d4ZZIUE41d4ZZIUE41d4ZZIUE41d4ZZIUE41d4ZZIUE41d4ZZIUE4q:tMnpz4fz4fz4fz4fz4fz4fz4f777x
MD5:	58AB6CC8DDEB2F9017415858C3E6FF6C
SHA1:	E66EA7F12430FF6EB831B136ECEBA68BC1028AFA
SHA-256:	1C922A352B88B545B32EE1923DDD89C5768D1BA8F905FBC23FC013BC31FB0794
SHA-512:	133D9F255F073C3B829B8BF61C48152AC42DCF5459B550E46CB4462E2E7964CCF7161904CBA139FAC63684CB189C6FC81D62A8D676BB378D752E5D3930D08028
Malicious:	false
Preview:	..[10:03:19]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:20]<<Program Manager>>....[10:03:21]<<Program Manager>>....[10:03:21]<<Program Manager>>....[10:03:21]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataEFqpGRPw.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.257120615082435
Encrypted:	false
SSDEEP:	3:tMf8CnIUE41CnIUE41HE41HE41HE41HE41HE41HE410ZfE410ZfE410ZfE410Zfx:tMFfAfllllll6Zf6Zf6Zf6Zfx
MD5:	1C1F5A215543F5A80023649BB1EA7228
SHA1:	555BE9997D1C85233E033A8A1E6DBA91F4A58C7E
SHA-256:	4ECD5D3C7BA99BFCF0B23EE0111C3A89A91A62C2BB9D7B1AC81FEBC5476DDDA3
SHA-512:	C3CCB8B152CD9F11AF4D1116CF1173E0D15CE93720FA43B8C0D20CC138612529ED1BC3B61A3CC4F3262DFA1B6FCE49A89464BF27053A760828698F0C3F57CCD1
Malicious:	false
Preview:	..[10:03:11]<<Program Manager>>....[10:03:11]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:12]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataHDEyIxlQ.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	528
Entropy (8bit):	4.195581412346335
Encrypted:	false
SSDEEP:	6:tM2WZWZWZWZWZWZW11Z11Z11Z11Z11Z11Z11ZbWbWx:tM3IIIIII1f1f1f1f1f1f1fbWbWx
MD5:	DE1E090409E2665391DE79AEEE6A0F9F
SHA1:	FF1A2DD00CD00BA594356BE5583688FCAF0E2BBE
SHA-256:	EE4961B26B37953651202B93F38CD66CD15F8D50D0EFCC548ABD75663C51061B
SHA-512:	0B12C35AB1DA593893A25174762112C372113020F7BA1276B19C66EF7757C3D2ECC1DB365F178383D23F477D64E3F64872DFD752D94E0AE433410C8C6DB253AA
Malicious:	false
Preview:	..[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:00]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:01]<<Program Manager>>....[10:03:02]<<Program Manager>>....[10:03:02]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataILYmXomU.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.261997963871118
Encrypted:	false
SSDEEP:	3:tMf8tUE41tUE41tUE41tUE41tUE41ln1ZE41ln1ZE41ln1ZE41ln1ZE41ln1ZE4R:tMLwwww7f7f7f7f7f7fx
MD5:	7877181514024CA011119481FF91DD1E
SHA1:	0B02C0A10C5E5F193BF9045C30447B5FC2CC9A5B
SHA-256:	A659ABD0C155CDC3C3A9BC49F055411C060FDD42564CCD388F3B3F668BA4F644
SHA-512:	5AB67EC40BD45F0CB010C0890B5FE5E9D0DE1F525341A8BFB5F48BCD8DC41598A166A67FF255CBCCED4C5B7D0F6D113F67F04A79DD31850EF8AE34BF964E781F
Malicious:	false
Preview:	..[10:03:31]<<Program Manager>>....[10:03:31]<<Program Manager>>....[10:03:31]<<Program Manager>>....[10:03:31]<<Program Manager>>....[10:03:31]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataLdsQdxaG.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.3133231042073525
Encrypted:	false
SSDEEP:	3:tMf8KZjpE41KZjpE41KZjpE41rE41rE41rE41rE41rE41rE41rE41wZ1XpE41wZ5:tM/jp0jp0jpxxxxxxx+Zdp+Zdpx
MD5:	C5A214E352F0D3418F698BD4CFDFE689
SHA1:	4AF66A194E88B831222459012468330ACE701059
SHA-256:	4E35330A80756A7C4A48D4F6EBB99B101803A653011E053474594F01337BA299
SHA-512:	EE96029DBB8D5F2972F229199D72BFAFD9477E8181EF2905CC622A39105829B2EA1F80D87053C72C7B06B291B2C0A7EEC1AFDBFE275995900851E27EEAAF2AA3
Malicious:	false
Preview:	..[10:03:37]<<Program Manager>>....[10:03:37]<<Program Manager>>....[10:03:37]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:38]<<Program Manager>>....[10:03:39]<<Program Manager>>....[10:03:39]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataMCkyDBpp.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.36518261180312
Encrypted:	false
SSDEEP:	6:tMU4f34fdXpdXpdXpdXpdXpdXpdXpdXp1Wx:tMU4f34fdZdZdZdZdZdZdZdZMx
MD5:	396DB9B4F54C20283FE63476E8DF8C44
SHA1:	6350CA3C8B2D4D7A0129CCC064EBF0C64CE3AFEA
SHA-256:	0768FAB431FF6D3817AA675E5BD9C9AB9D53BFCBCE3EF2204F938F1E53293D9C
SHA-512:	2636EB8163248DE010FC04E7689F8DB713FCC8695D91A0E55573BB537BB77981A1FED9164AE2CBFCD29234A1D97CDD8E99EFF525444599D2E8057065910B44C3
Malicious:	false
Preview:	..[10:03:24]<<Program Manager>>....[10:03:24]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:25]<<Program Manager>>....[10:03:26]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWKDWGaOi.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.301492761999363
Encrypted:	false
SSDEEP:	3:tMf85ZLZE415ZLZE415ZLZE415ZLZE415ZLZE41qdpE41qdpE41qdpE41qdpE41x:tMuZN3ZN3ZN3ZN3ZNKpKpKpKpKpKpx
MD5:	7DCDD90A18C5A71937C2DA58AC61FDAB
SHA1:	8CB565FC66C80844BACA5D3CE4E857D3E8008C42
SHA-256:	2C9929B152D8C92647FEA1762E5B4172497D6A5BB9C03A73110CB30E31A5602C
SHA-512:	25CAB55F8C6CB189B1BC23A08CF19B708BFD6EF494C09418F2B43EF70A6B14168E737F5AEE262256AE8657D971940E00885EEE63A7A319BB7A5603EDA41F5D5F
Malicious:	false
Preview:	..[10:03:18]<<Program Manager>>....[10:03:18]<<Program Manager>>....[10:03:18]<<Program Manager>>....[10:03:18]<<Program Manager>>....[10:03:18]<<Program Manager>>....[10:03:19]<<Program Manager>>....[10:03:19]<<Program Manager>>....[10:03:19]<<Program Manager>>....[10:03:19]<<Program Manager>>....[10:03:19]<<Program Manager>>....[10:03:19]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataWRlfbyKR.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.318232857062948
Encrypted:	false
SSDEEP:	3:tMf8eCpE41eCpE41eCpE41eCpE41eCpE41eCpE41Z4fE41Z4fE41Z4fE41Z4fE4E:tM+p3p3p3p3p3p34f34f34f34f34fx
MD5:	A81BC99D559E02F7BD1B2BE3B333AF4B
SHA1:	A8F09C97F3427DE79022B552D59B3FB975E82F5D
SHA-256:	7085F0F937E016AC3A4BE1CC80AAF040DA532FBD0B222637C84A6E833B37FA8B
SHA-512:	8BB1D1F3D662588F563EF6FD5A5018C8F00D16E7DB6A2AD20E147F43287EAD6563923AF77A697DE1A63FCE84827036C636053C324F6C652834BC4E427A20BE6B
Malicious:	false
Preview:	..[10:03:23]<<Program Manager>>....[10:03:23]<<Program Manager>>....[10:03:23]<<Program Manager>>....[10:03:23]<<Program Manager>>....[10:03:23]<<Program Manager>>....[10:03:23]<<Program Manager>>....[10:03:24]<<Program Manager>>....[10:03:24]<<Program Manager>>....[10:03:24]<<Program Manager>>....[10:03:24]<<Program Manager>>....[10:03:24]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataafuoZGGx.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.301492761999363
Encrypted:	false
SSDEEP:	3:tMf8OZLZE41OZLZE41OZLZE41OZLZE41OZLZE41OZLZE41dZfE41dZfE41dZfE4F:tMnNwNwNwNwNwN7N7N7N7N7Nx
MD5:	79FABF89F66E92A833DAFFB8BEE45685
SHA1:	FA92BF76937076FB950BB786A6A276B322652E16
SHA-256:	4F75FD2A9927FBD6D6C0B14CAB3DB96F35759DF21EBDDFCD32E249B30804B735
SHA-512:	72555DC0FEC8E14BAF5D4FC7B4423D005E1A5DAD615B85843A9D115AFBB1983401E3452DF82AE35AC2FDCABCF1AC5417552CB507FFCE79B17B7FA1F72B4F4FC7
Malicious:	false
Preview:	..[10:03:15]<<Program Manager>>....[10:03:15]<<Program Manager>>....[10:03:15]<<Program Manager>>....[10:03:15]<<Program Manager>>....[10:03:15]<<Program Manager>>....[10:03:15]<<Program Manager>>....[10:03:16]<<Program Manager>>....[10:03:16]<<Program Manager>>....[10:03:16]<<Program Manager>>....[10:03:16]<<Program Manager>>....[10:03:16]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatabqSzIMai.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	330
Entropy (8bit):	4.358682479810082
Encrypted:	false
SSDEEP:	6:tMY41Z741Z741Z741Z741Z741Z741Zzfzfzfx:tMY41Z741Z741Z741Z741Z741Z741Zzp
MD5:	A3D3D5F2133C9BCF92F985C05404154C
SHA1:	EA8ECE7E9914D075EAAEC2CFFB6A34D29BB1DDAF
SHA-256:	687FDCC08EA8E593DDC190FCDFD9D49E1C7DB70A3844842A0E0EFFD8B0277858
SHA-512:	EC4F756D03833FDAE88E6530160773347820144543F9DAD792D7FBBF719710BA89E109F70ACE7AA58D83E8B073A0FCDE86FB4EF96B478457886C25E0A744909F
Malicious:	false
Preview:	..[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:28]<<Program Manager>>....[10:03:29]<<Program Manager>>....[10:03:29]<<Program Manager>>....[10:03:29]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatafWGBGTKT.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.265989180648781
Encrypted:	false
SSDEEP:	3:tMf8/UjpE41/UjpE41+WE41+WE41+WE41+WE41+WE41+WE41+WE41RdKUE41RdKG:tM+WRWZZZZZZZPfPfx
MD5:	C2B7192DCB0AF17CDF986F6E713E0B87
SHA1:	095434BB17228A1F906F8325C06F718335F487BF
SHA-256:	4F550AA9E2109EE855E7F9347CE66344CDFA12D0E94DCBA315705B37CF374BE1
SHA-512:	3E7B9F98A4F61C58784F5156847D2C512B465895A597A57BEBA257F05A1F9F3AF4D354B43110A1A4436F14F079A6B48083074FE1CF3CF37641A4E6B94ACC95CF
Malicious:	false
Preview:	..[10:03:08]<<Program Manager>>....[10:03:08]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:09]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagdxfvMje.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.2796076569630745
Encrypted:	false
SSDEEP:	3:tMf8c4IUE41c4IUE41c4IUE41c4IUE41fAfE41fAfE41fAfE41fAfE41fAfE41ff:tMA777xWxWxWxWxWxWxW3px
MD5:	4A4DDE2D04EC6AA1FB5CB7EB1AF92CB6
SHA1:	FB06269A142828634E04C2513B79E5F07ABA6FBD
SHA-256:	31C9086498A939460EC142033053C902CE595D50EE0E70D589B99464987308F0
SHA-512:	5FDDD4E974C969D6F1B3AC15895B6328CE746864D043A6DF4004CAFA15D538C929C36C041DD121B80C2DF822F2BEFE3198672631EF632193A4AE44AADF36D7E1
Malicious:	false
Preview:	..[10:03:21]<<Program Manager>>....[10:03:21]<<Program Manager>>....[10:03:21]<<Program Manager>>....[10:03:21]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:22]<<Program Manager>>....[10:03:23]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatahSitYtMr.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.3101788807279675
Encrypted:	false
SSDEEP:	3:tMf8eE41ZfE41ZfE41ZfE41ZfE41ZfE41ZfE41ZfE41KZjpE41KZjpE41KZjpE40:tMHvfvfvfvfvfvfvf0jp0jp0jp0jpx
MD5:	4CC7F62A58A6DF273A148132879E6314
SHA1:	645E439D88E6153B58EA7FF19B7BCE2392DC6D6A
SHA-256:	68C972702D70F538EE7C63B2C061FCCB6F908FA284CA5D2B356434DAD32DF191
SHA-512:	A6EA94926A74B33A13E277982733AF2816A931A1AF2A41DBAE277D3955AA6F42FFF96B0C94432B22E5E501476096A2B815AE186F83E3BBA7E5B42F09D387F924
Malicious:	false
Preview:	..[10:03:35]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:36]<<Program Manager>>....[10:03:37]<<Program Manager>>....[10:03:37]<<Program Manager>>....[10:03:37]<<Program Manager>>....[10:03:37]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatahWPWanmw.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.311046290992092
Encrypted:	false
SSDEEP:	3:tMf8dZfE41dZfE410XpE410XpE410XpE410XpE410XpE410XpE410XpE415ZLZEe:tMcN7Nspspspspspspsp3ZN3ZNx
MD5:	02480DFF693CD4E38304D3E8C1FAD1F3
SHA1:	8D4CD711061AD390318FE7C8C750245472F5E2B4
SHA-256:	F9ED068AFADB4BF4D8E06BCA7E32A0BDD7727A4929380F083D2C7087ADF37D69
SHA-512:	43D7FD6BDDB3FF5CA8D2DE466BDF547CB3914A0667DEFC8E9E62773747D168A6A5CD3F52B652D19C608493EB2ECB43DE5F8C13C46CBFFC13A55C0EA6F6ECFA07
Malicious:	false
Preview:	..[10:03:16]<<Program Manager>>....[10:03:16]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:17]<<Program Manager>>....[10:03:18]<<Program Manager>>....[10:03:18]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatalcLRVsfX.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.286091332242886
Encrypted:	false
SSDEEP:	3:tMf8yUjpE41yUjpE41yUjpE41xUZ1XpE41xUZ1XpE41xUZ1XpE41xUZ1XpE41xUx:tMepTpTpfQZfQZfQZfQZfQZfQZfQZfx
MD5:	6ED45B9B3EF5FFFC52ECB6CF29A5C1FB
SHA1:	EA385348A644750070F1C4F1048A5F941412D02A
SHA-256:	F7E9C6760D86710FC4039B1CE1AD4F174FB305BE4E304E1924C8557028998601
SHA-512:	1DF3B99C39DD14468040636549462D87112A88F026606F1886AF10543237A7A0C01DEF385B195E647CDE26F45F7DF8A5ACD6166168997A5CAD088F689298B2F8
Malicious:	false
Preview:	..[10:03:05]<<Program Manager>>....[10:03:05]<<Program Manager>>....[10:03:05]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:06]<<Program Manager>>....[10:03:07]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataljApwsJW.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.361669687610703
Encrypted:	false
SSDEEP:	3:tMf8bCpE41bCpE41bCpE41bCpE41bCpE41aULZE41aULZE41aULZE41aULZE41ag:tMWW1W1W1W1WDZDZDZDZDZDZDZx
MD5:	90FFF63A2F5C2B81B12DD5139EFEB2DE
SHA1:	FEEE665ABE6C6EEAFA7A285EC4CEEE3DE64CF863
SHA-256:	CBE48C05D6B05CC59267CEED1B1FD90B74A29A267F2AD8DA1A8C97D725CE519F
SHA-512:	0ADBB8AC1FBD7607FFF29DA49C7F220A7470F9E4B3A55619E9B9001A0F078C08B66AB2906A4CCBA4606DB8CCC1DA456E1F3B12BA55930A7A099EC04AA86F1580
Malicious:	false
Preview:	..[10:03:26]<<Program Manager>>....[10:03:26]<<Program Manager>>....[10:03:26]<<Program Manager>>....[10:03:26]<<Program Manager>>....[10:03:26]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>....[10:03:27]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatancViCcPf.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.276864743666909
Encrypted:	false
SSDEEP:	3:tMf80ZfE410ZfE410ZfE410ZfE41dnfE41dnfE41dnfE41dnfE41dnfE41dnfE4Y:tMFZf6Zf6Zf6ZfbfbfbfbfbfbfwNx
MD5:	4944554F82A31D1E7DC3684C0508DB92
SHA1:	04852E70D69885A3A1AF59F307D84613C9E0D868
SHA-256:	BC3C9602D5614C42910399E8511E70B991922DB66DEE940A5569BD71BB0D5FE4
SHA-512:	86E9A5393D88D5F03341B0EF567C67F790C48D7F0314DEF581DC4297119CA4984595910A327EAB6260E9AC0EB4433DE3E205DF8D675F699742B7F9C446655D4D
Malicious:	false
Preview:	..[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:13]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:14]<<Program Manager>>....[10:03:15]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatanjLHdcse.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	330
Entropy (8bit):	4.300793379665355
Encrypted:	false
SSDEEP:	3:tMf8vE41vE41vE41vE41eE41eE41eE41eE41eE41eE4F:tM2FFFccccccx
MD5:	B57857279A67CEA10B1019C0F0B4039F
SHA1:	38EAC40C18C7590C5C0F264A0D39A4129E3B0405
SHA-256:	35BAA844823D42F89B16F477D0A138B2D74EEC2FBB27DFC000875A1279705A83
SHA-512:	27980FE9E7EB4824A69EB1282C2BA6083817B8414B8B4F22F79E9276FC103EE52522BA990C1F8F3AA6267390C14BAC7F3BBCC2C816A1D3390B0ECC884FBC61BD
Malicious:	false
Preview:	..[10:03:34]<<Program Manager>>....[10:03:34]<<Program Manager>>....[10:03:34]<<Program Manager>>....[10:03:34]<<Program Manager>>....[10:03:35]<<Program Manager>>....[10:03:35]<<Program Manager>>....[10:03:35]<<Program Manager>>....[10:03:35]<<Program Manager>>....[10:03:35]<<Program Manager>>....[10:03:35]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataolHheReu.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.278188248151204
Encrypted:	false
SSDEEP:	3:tMf8wWE41wWE41wWE41wWE41wWE41wWE41wWE41/UjpE41/UjpE41/UjpE41/Ujs:tMgffffffRWRWRWRWRWx
MD5:	0AF2A8B83E0AA42931A3455A4E1EAA6F
SHA1:	992C6F5EAE4F0D298F97A411FE1D2B27BCF4D5E0
SHA-256:	89B21CF9A339AFF39BBF9810F141CBAE6B4CFAD56C98643A51D32D945CD533F2
SHA-512:	57B7B7171AA7F364C1440CCECEDB88862BA2E7637F00573B21B832FAF99C91D1C8A3E1204080CA75FEABD0715D386A31F6C195F365DD068CBFF97B6A3F53349E
Malicious:	false
Preview:	..[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:07]<<Program Manager>>....[10:03:08]<<Program Manager>>....[10:03:08]<<Program Manager>>....[10:03:08]<<Program Manager>>....[10:03:08]<<Program Manager>>....[10:03:08]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatasXMkXjoY.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.265021656193099
Encrypted:	false
SSDEEP:	3:tMf8U4ZZfE41U4ZZfE41U4ZZfE41FZ1XKUE41FZ1XKUE41FZ1XKUE41FZ1XKUE4J:tM2fzfzfbNbNbNbNbNbNbNwwx
MD5:	1BFD6D90562049FE4F4CDAF313D71E47
SHA1:	2F5CAA7BEC9DC7595A55FA7D8C9D0B24E0089970
SHA-256:	9AE005436931E8E1B3F4DE5ACBF76606F0B3C4AF7B6DAF21B8C7D98B8D03E065
SHA-512:	A85E315388DD69FA5C329006B1BB486DF92C2E9756B9C1E33BD7BC5238C50728D0E4A5E0D14B058D842ADBA8BDCA191A831D1F2D936E715C2E168988BE3E25D0
Malicious:	false
Preview:	..[10:03:29]<<Program Manager>>....[10:03:29]<<Program Manager>>....[10:03:29]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:30]<<Program Manager>>....[10:03:31]<<Program Manager>>....[10:03:31]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatasiMGbFIC.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	396
Entropy (8bit):	4.320895694920304
Encrypted:	false
SSDEEP:	6:tMiQZFQZbpbpbpH41ZH41ZH41ZH41ZH41ZH41ZH41Zx:tMrcFFFHWHWHWHWHWHWHWx
MD5:	025C7AAA0CC01A2F4BAE0CB043CE00E1
SHA1:	E132BCEBCB7FD22E43B5B9F84A21406614C0C304
SHA-256:	F47E6B7E37C08DDE82050DC2A05A59273FDD972D3B6C300B2AB60528C15D6D4B
SHA-512:	5D086D1F74DF6F5384DD0E9C3EFC29841D5B3391B404D869F7D7CEF4E62CC32E422FFC9E920F6ED427D5B82FF74FC8068492E8A84BFD3633BCE524E2113C2F10
Malicious:	false
Preview:	..[10:03:40]<<Program Manager>>....[10:03:40]<<Program Manager>>....[10:03:41]<<Program Manager>>....[10:03:41]<<Program Manager>>....[10:03:41]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>....[10:03:42]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatauKSDFYHP.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.192254487406466
Encrypted:	false
SSDEEP:	3:tMf8RdKUE41RdKUE41RdKUE41RdKUE41RdKUE41RdKUE41CnIUE41CnIUE41CnI4:tMWfPfPfPfPfPfAfAfAfAfAfx
MD5:	EA39A4B821E116C629850E80E88DF002
SHA1:	BC6164BC7F9B83B123E28C15556A0B5F26277DA2
SHA-256:	F34F5FE966B840286119B00EE90F5276DE882E4530AD882CD63481F0A7AF0323
SHA-512:	B25D02C5D0A26600F1DF137E43E218769A5A1BB03A1E616CBC82CC0D8A03480892EBE48BA7A410A8827DCC769B6783F33A70D3707C9C184932DCB4F29B4D2967
Malicious:	false
Preview:	..[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:10]<<Program Manager>>....[10:03:11]<<Program Manager>>....[10:03:11]<<Program Manager>>....[10:03:11]<<Program Manager>>....[10:03:11]<<Program Manager>>....[10:03:11]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatavrMwtqzy.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.274459647512963
Encrypted:	false
SSDEEP:	6:tMC1XpdQZdQZdQZdQZdQZdQZdQZTpTpTpTpx:tMwpUUUUUUU9999x
MD5:	1BE7381E11967BF74890399F891057B7
SHA1:	80EADB87FDB81031E1025EA56D6C2170B14CAF13
SHA-256:	99378CD8130CA4FD092C46A83DF1E6ED70175CD75ACE6382C6821601545D55E8
SHA-512:	57E7CC1D29F1B0567E1315AFFACC62C3C9C77032A13D51AEA05DEE425020CB53A96A1F761A58F5DFD724244C7E2FD5AC52E882DCD0675AF2298E1AA92B891A17
Malicious:	false
Preview:	..[10:03:03]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:04]<<Program Manager>>....[10:03:05]<<Program Manager>>....[10:03:05]<<Program Manager>>....[10:03:05]<<Program Manager>>....[10:03:05]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatavrrynjNC.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	363
Entropy (8bit):	4.234751417603449
Encrypted:	false
SSDEEP:	6:tM0WbWbWbWbWT1XpT1XpT1XpT1XpT1XpT1Xpx:tM0WbWbWbWbWJpJpJpJpJpJpx
MD5:	069591FC53B9F9B5BBA1D99D227E591F
SHA1:	93EDA6DA86C8B0177D92F81846667D900A983522
SHA-256:	ED26172675B2430D52D612E56E18F05070F67ACFB661EC674A1E187B141DCB0A
SHA-512:	C2957B4D76DA6A4E92AED7C8772C86D193EEE097678E85BA3FB829FF4AD80135CC499049972475F512E211CAF392A1D1F174B22683EA73BF3657909011848CC0
Malicious:	false
Preview:	..[10:03:02]<<Program Manager>>....[10:03:02]<<Program Manager>>....[10:03:02]<<Program Manager>>....[10:03:02]<<Program Manager>>....[10:03:02]<<Program Manager>>....[10:03:03]<<Program Manager>>....[10:03:03]<<Program Manager>>....[10:03:03]<<Program Manager>>....[10:03:03]<<Program Manager>>....[10:03:03]<<Program Manager>>....[10:03:03]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawjhcJLYF.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13906
Entropy (8bit):	4.571480193155414
Encrypted:	false
SSDEEP:	96:6cccccccnIIkFFTFFFFFFFSOOOOOOOreeeeeeo:Weeeeeeo
MD5:	C7A044743E892054543036347F6F2001
SHA1:	698E7881DFC72DB3307D2073B947F04962A9C643
SHA-256:	8D7C08452D0FF57681DE541B38953286C534041A80BA19FDFCCC3B532B77596B
SHA-512:	BA88EA926A2447DA751C29E6E2E17045FB6D3EBDBE87FB2A7A2BF56367E317081063F7B4F6A34555FC34E93C241E626331AB07B42AA7DF4A63B3A269DEF7447B
Malicious:	false
Preview:	..[10:01:44]<<Program Manager>>....[10:01:44]<<Program Manager>>....[10:01:44]<<Program Manager>>....[10:01:44]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:45]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:46]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:47]<<Program Manager>>....[10:01:48]<<Program Manager>>....[10:01:48]<<Program Manager>>....[10:01:48]<<Program Manager>>....[10:01:48]<<Program Manager>>....[10:01:48]<<Program Manager>>....[10:01:4

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataxvXGxqSs.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	396
Entropy (8bit):	4.252996081100579
Encrypted:	false
SSDEEP:	3:tMf8ln1ZE41ln1ZE41WfE41WfE41WfE41WfE41WfE41WfE41WfE41vE41vE41vEs:tMOf7faaaaaaaFFFx
MD5:	1B46BDC60F59E67BBB3ECB8A122902BE
SHA1:	15A5875C32C9E95FCF1BBC50BC116A2736A7BE3B
SHA-256:	188BFE199B8E23C2966F6BB634223A8643CD6897D57AFB65E18D2596113E34EB
SHA-512:	E9AFDC94E1210DD4CB716532178F061BD625FE33F5815C58B88B38C6DC9DF3DC6C02D83E649331734474BF543A2FA183163F53B50C22CF2CE879ED72E2EBA1C8
Malicious:	false
Preview:	..[10:03:32]<<Program Manager>>....[10:03:32]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:33]<<Program Manager>>....[10:03:34]<<Program Manager>>....[10:03:34]<<Program Manager>>....[10:03:34]<<Program Manager>>..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogboosiesKhQkghmLOecvzzzzqDsmEfgZAqZAOiNtoiOJELzobTbCKdMrYNAgoddess

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Statement 2024-11-29 (K07234).exe, Detection: malicious, Browse Filename: PO54782322024.exe, Detection: malicious, Browse Filename: m30zZYga23.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: AWB#150332.exe, Detection: malicious, Browse Filename: SOA_9828392091.exe, Detection: malicious, Browse Filename: ngPebbPhbp.exe, Detection: malicious, Browse Filename: Pi648je050.exe, Detection: malicious, Browse Filename: shipping documents.exe, Detection: malicious, Browse Filename: Termination_List_November_2024_pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1063944
Entropy (8bit):	7.787800183434198
Encrypted:	false
SSDEEP:	24576:wjlIhSPd+phHhKCgewqRAbJqTu+Ew06lASo8FeTMHA5AcFE:wjl+SPsp7znHyV6L06lASo8F7g7E
MD5:	FBF77E7D5F394A432DA4903E37C2E40A
SHA1:	27C9BD92BE2199EE6AB036CA8BB2AD6119101E2C
SHA-256:	34EC90CCD81677A867A00F697ECE5799CDBBFAF76556701353FE8FCDC3C674C1
SHA-512:	A5FBA4AC6EA43CED0A3C3F9471AFCC524B03B84AD5B0A6FA9261DB7ADD428462E7B3E28DC250CD1E0C5CD36C65126077306E7F7B0BF166B1E67BF2D50735F4CC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7`g..............0......&......b.... ........@.. .......................`............@.....................................O.......("...............6...@....................................................... ............... ..H............text...h.... ...................... ..`.rsrc...(".......$..................@..@.reloc.......@......................@..B................D.......H.......d1...!...........S...............................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....f........s ...s!...("....~..{....r...po......{....o#.....0..}.........{....r9..po......+7...{.....\|....o$...}....(%....{....o&.....{.....o........+.&..{....rS..po........&..{....rS..po...................>P..........>f.........}.....('.......s....}....

C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.787800183434198
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO.exe
File size:	1'063'944 bytes
MD5:	fbf77e7d5f394a432da4903e37c2e40a
SHA1:	27c9bd92be2199ee6ab036ca8bb2ad6119101e2c
SHA256:	34ec90ccd81677a867a00f697ece5799cdbbfaf76556701353fe8fcdc3c674c1
SHA512:	a5fba4ac6ea43ced0a3c3f9471afcc524b03b84ad5b0a6fa9261db7add428462e7b3e28dc250cd1e0c5cd36c65126077306e7f7b0bf166b1e67bf2d50735f4cc
SSDEEP:	24576:wjlIhSPd+phHhKCgewqRAbJqTu+Ew06lASo8FeTMHA5AcFE:wjl+SPsp7znHyV6L06lASo8F7g7E
TLSH:	6035D0D03F3A7701DEA8B934817AEDBC52592E74B00479E36EED2B47B69D1126A1CF04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7`g..............0......&......b.... ........@.. .......................`............@................................

File Icon


Icon Hash:	37c38329a3924d33

Static PE Info

General

Entrypoint:	0x4ffd62
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676037A8 [Mon Dec 16 14:22:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xffd10	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x2228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x100600	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfdd68	0xfde00	5bb4e6307207ae15cb1de8fa21966c3e	False	0.9101322085795175	data	7.7873724166581635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x2228	0x2400	fb55140d3149d021e3ae42ee4011ad16	False	0.8844401041666666	data	7.383996676687039	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xc	0x200	9c403f2446e07aa213a48cec85e79692	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1000c8	0x1e1f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9939048113085203
RT_GROUP_ICON	0x101ef8	0x14	data	1.05
RT_VERSION	0x101f1c	0x308	data	0.4574742268041237

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T16:01:53.480786+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	162.55.60.2	80	TCP
2024-12-20T16:02:01.570663+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49716	162.55.60.2	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:01:52.083297014 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:52.203053951 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:52.203147888 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:52.203320980 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:52.323199987 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.480680943 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.480717897 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.480730057 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.480786085 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.480829954 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.481112957 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481126070 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481136084 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481156111 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481168985 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481179953 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.481225967 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.481635094 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481648922 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.481698990 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.600781918 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.600847006 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.600972891 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.601108074 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.604824066 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.604935884 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.672965050 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.673029900 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.673269033 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.673402071 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.677187920 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.677206993 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.677241087 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.677263021 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.685385942 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.685441017 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.688493967 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.688510895 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.688540936 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.688560009 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.697096109 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.697117090 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.697148085 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.697165966 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:01:53.705236912 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:01:53.705302954 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:00.157435894 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:00.277546883 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:00.277729034 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:00.277924061 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:00.397388935 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570595026 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570619106 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570631027 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570662975 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.570702076 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.570749044 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570760965 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570806980 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.570815086 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570827961 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.570858955 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.571034908 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.571055889 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.571069956 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.571080923 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.571095943 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.571124077 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.690443993 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.690502882 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.690514088 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.690556049 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.775767088 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.775906086 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.775904894 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.775954008 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.777760029 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.777806044 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.777932882 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.777992964 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.786011934 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.786068916 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.786218882 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.786365032 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.794548988 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.794586897 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.794599056 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.794641018 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.802798033 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.802848101 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:02:01.803253889 CET	80	49716	162.55.60.2	192.168.2.8
Dec 20, 2024 16:02:01.803365946 CET	49716	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:03:41.288602114 CET	49711	80	192.168.2.8	162.55.60.2
Dec 20, 2024 16:03:41.409920931 CET	80	49711	162.55.60.2	192.168.2.8
Dec 20, 2024 16:03:41.409996986 CET	49711	80	192.168.2.8	162.55.60.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 16:01:51.323381901 CET	50547	53	192.168.2.8	1.1.1.1
Dec 20, 2024 16:01:52.077903032 CET	53	50547	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 16:01:51.323381901 CET	192.168.2.8	1.1.1.1	0x9307	Standard query (0)	showip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 16:01:52.077903032 CET	1.1.1.1	192.168.2.8	0x9307	No error (0)	showip.net		162.55.60.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

showip.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	162.55.60.2	80	5608	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:01:52.203320980 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Dec 20, 2024 16:01:53.480680943 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Fri, 20 Dec 2024 15:01:53 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Dec 20, 2024 16:01:53.480717897 CET	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Dec 20, 2024 16:01:53.480730057 CET	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Dec 20, 2024 16:01:53.481112957 CET	388	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Dec 20, 2024 16:01:53.481126070 CET	1236	IN	Data Raw: 61 72 20 62 3d 48 28 61 29 3b 31 21 3d 3d 28 62 26 31 29 26 26 28 4f 62 6a 65 63 74 2e 69 73 46 72 6f 7a 65 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c Data Ascii: ar b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b\|1))} var H=F?function(a){return a[F]\|0}:function(a){return a.g\|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a
Dec 20, 2024 16:01:53.481136084 CET	1236	IN	Data Raw: 65 3d 61 2e 6c 65 6e 67 74 68 2c 66 3d 64 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 61 5b 66 5d 3b 6e 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d Data Ascii: e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a i
Dec 20, 2024 16:01:53.481156111 CET	1236	IN	Data Raw: 28 65 2c 66 29 26 26 28 62 5b 66 5d 3d 63 28 65 5b 66 5d 29 29 7d 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 Data Ascii: (e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=D
Dec 20, 2024 16:01:53.481168985 CET	1236	IN	Data Raw: 66 28 63 3e 3d 66 7c 7c 65 29 7b 65 3d 62 3b 69 66 28 62 26 32 35 36 29 66 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d Data Ascii: f(c>=f\|\|e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e\|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c
Dec 20, 2024 16:01:53.481635094 CET	1236	IN	Data Raw: 72 65 61 6b 7d 66 3d 21 30 7d 65 3d 62 3b 63 3d 21 63 3b 67 3d 4a 28 61 2e 68 29 3b 61 3d 4c 28 67 29 3b 67 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28 Data Ascii: reak}f=!0}e=b;c=!c;g=J(a.h);a=L(g);g=(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h\|\|(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa(
Dec 20, 2024 16:01:53.481648922 CET	1236	IN	Data Raw: 6e 63 74 69 6f 6e 20 57 61 28 61 29 7b 74 68 69 73 2e 67 3d 61 7c 7c 70 2e 64 6f 63 75 6d 65 6e 74 7c 7c 64 6f 63 75 6d 65 6e 74 7d 57 61 2e 70 72 6f 74 6f 74 79 70 65 2e 61 70 70 65 6e 64 43 68 69 6c 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 Data Ascii: nction Wa(a){this.g=a\|\|p.document\|\|document}Wa.prototype.appendChild=function(a,b){a.appendChild(b)}; function Xa(a,b){a.src=b instanceof V&&b.constructor===V?b.g:"type_error:TrustedResourceUrl";var c,d;(c=(b=null==(d=(c=(a.ownerDocumen
Dec 20, 2024 16:01:53.600781918 CET	1236	IN	Data Raw: 28 61 29 7b 69 66 28 61 2e 69 2e 62 6f 64 79 26 26 21 61 2e 6d 29 7b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 62 28 61 29 3b 70 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 62 28 61 2c Data Ascii: (a){if(a.i.body&&!a.m){var b=function(){fb(a);p.setTimeout(function(){return gb(a,3)},50)};Za(a.l,a.u,2,!0,function(){p[a.o]\|\|b()},b);a.m=!0}} function fb(a){for(var b=W(1,5),c=0;c<b;c++){var d=X(a);a.i.body.appendChild(d);a.j.push(d)}b=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49716	162.55.60.2	80	7468	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 16:02:00.277924061 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Dec 20, 2024 16:02:01.570595026 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Fri, 20 Dec 2024 15:02:01 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Dec 20, 2024 16:02:01.570619106 CET	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Dec 20, 2024 16:02:01.570631027 CET	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Dec 20, 2024 16:02:01.570749044 CET	1236	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Dec 20, 2024 16:02:01.570760965 CET	1236	IN	Data Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72 Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d\|=64;if(c&&(d\|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d\|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105\|(e&1023)<<11;break a}}b&&(g=(d>>9&
Dec 20, 2024 16:02:01.570815086 CET	1236	IN	Data Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b Data Ascii: =b[(w&15)<<2\|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]\|\|d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4\|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
Dec 20, 2024 16:02:01.570827961 CET	1236	IN	Data Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e Data Ascii: urn a}}function Ha(a,b,c){var d=c\|\|b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32\|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
Dec 20, 2024 16:02:01.571034908 CET	1000	IN	Data Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
Dec 20, 2024 16:02:01.571055889 CET	1236	IN	Data Raw: 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 62 2c 30 2c 64 29 3b 62 3d 64 61 3b 66 26 26 28 62 2e 6c 65 6e 67 74 68 3d 64 29 3b 79 26 26 62 2e 70 75 73 68 28 79 29 3b 72 65 74 75 72 6e 20 62 7d 3b 66 75 6e 63 74 69 6f Data Ascii: ay.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&b.push(y);return b};function Qa(a){return function(b){if(null==b\|\|""==b)b=new a;else{b=JSON.parse(b);if(!Array.isArray(b))throw Error(void 0);G(b,32);b=Q(a,b)}return b}};function Ra(a){thi
Dec 20, 2024 16:02:01.571069956 CET	1236	IN	Data Raw: 3b 64 26 26 67 2e 68 65 61 64 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 68 29 7d 29 3b 68 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 65 72 72 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 30 3c 63 3f 5a 61 28 61 2c 62 2c 63 2d 31 2c 64 Data Ascii: ;d&&g.head.removeChild(h)});h.addEventListener("error",function(){0<c?Za(a,b,c-1,d,e,f):(d&&g.head.removeChild(h),f())})}catch(k){f()}};var $a=p.atob("aHR0cHM6Ly93d3cuZ3N0YXRpYy5jb20vaW1hZ2VzL2ljb25zL21hdGVyaWFsL3N5c3RlbS8xeC93YXJuaW5nX2FtYmVy
Dec 20, 2024 16:02:01.690443993 CET	1236	IN	Data Raw: 62 6f 74 6f 2c 20 41 72 69 61 6c 22 3b 63 3d 58 28 61 29 3b 63 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 57 28 38 30 2c 0a 20 20 20 20 20 20 38 35 29 2e 74 6f 53 74 72 69 6e 67 28 29 2b 22 25 22 3b 63 2e 73 74 79 6c 65 2e 6d 61 78 57 69 64 74 68 3d Data Ascii: boto, Arial";c=X(a);c.style.width=W(80, 85).toString()+"%";c.style.maxWidth=W(750,775).toString()+"px";c.style.margin="24px";c.style.display="flex";c.style["align-items"]="flex-start";c.style["justify-content"]="center";d=Va(a.l.g,"IMG")

Target ID:	0
Start time:	10:01:38
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO.exe"
Imagebase:	0xf70000
File size:	1'063'944 bytes
MD5 hash:	FBF77E7D5F394A432DA4903E37C2E40A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1557535702.000000000514B000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1557535702.0000000005090000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1557535702.00000000050D9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO.exe"
Imagebase:	0x870000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe"
Imagebase:	0x870000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmpEB05.tmp"
Imagebase:	0x6f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:01:43
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:01:44
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x960000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:01:45
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\lEIbxztPTKpOpY.exe
Imagebase:	0x7a0000
File size:	1'063'944 bytes
MD5 hash:	FBF77E7D5F394A432DA4903E37C2E40A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000A.00000002.1632857470.0000000004794000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 0000000A.00000002.1632857470.0000000004565000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:01:51
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lEIbxztPTKpOpY" /XML "C:\Users\user\AppData\Local\Temp\tmp776.tmp"
Imagebase:	0x6f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:01:51
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:01:51
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x610000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	10:02:15
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe"
Imagebase:	0x310000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:02:15
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:02:23
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fretsaw.exe"
Imagebase:	0x240000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:02:23
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.8%
Total number of Nodes:	366
Total number of Limit Nodes:	20

Executed Functions

Function 07FB2BE0 Relevance: 4.1, Strings: 3, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07FB2FC4
ry, xrefs: 07FB2FCB
ry, xrefs: 07FB2FE2

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: efe0681869459cd36ef0927b4f20a3484274b9487937cba3ad3c2a9541a151ec
Instruction ID: 80e312d81366b7fb0d81d986487092a1ba3fcf017875bd80af330d3c7d8a3c5f
Opcode Fuzzy Hash: efe0681869459cd36ef0927b4f20a3484274b9487937cba3ad3c2a9541a151ec
Instruction Fuzzy Hash: C5E15CB6E14606CFCB15CFA6D8854EEFBB2FF89310F188556D411AB254D734AA42CF90

Function 07FB2CAD Relevance: 4.1, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07FB2FC4
ry, xrefs: 07FB2FCB
ry, xrefs: 07FB2FE2

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 8de53b48821fda0d637ba9a3065f3ddfb27b1f3c51687ddebf822ce412807df6
Instruction ID: 565b121e7610a94bba16916cbb702cf050c522bd0eb0b1e4efd44e839addf4ab
Opcode Fuzzy Hash: 8de53b48821fda0d637ba9a3065f3ddfb27b1f3c51687ddebf822ce412807df6
Instruction Fuzzy Hash: 9BD139B6E1460ADFCB24CFA6D8854EEFBB2FF89300F548556D411AB214D734AA42CF94

Function 07FB2CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07FB2FC4
ry, xrefs: 07FB2FCB
ry, xrefs: 07FB2FE2

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 93a1d7d0410789912dcd275948e353f7eea761573dada17e43d5091773fd0128
Instruction ID: fcd179c3d6ea310242fe2b2fdeeba7f0a9264b2405492864548a45f2cf2649bc
Opcode Fuzzy Hash: 93a1d7d0410789912dcd275948e353f7eea761573dada17e43d5091773fd0128
Instruction Fuzzy Hash: BDC128B5E1460ADFCB24CF96C4858AEFBB2FF89300F148556D416AB218D734A942CF94

Function 07FB96C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 07FB9838
UC;", xrefs: 07FB98B6

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 546122b162c26aa70dcf381f480720a77385658f40dbde9ef771704ca4273105
Instruction ID: e45cd281bf0f7111de62ad589c813ae483916609b332a3c7d83efc3da8e47350
Opcode Fuzzy Hash: 546122b162c26aa70dcf381f480720a77385658f40dbde9ef771704ca4273105
Instruction Fuzzy Hash: 319139B5D24209DFCB18CFA6E5809DEFBF2EF8A340F24A42AE515A7264D770A505CF50

Function 07FB96C3 Relevance: 2.7, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 07FB9838
UC;", xrefs: 07FB98B6

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 8ae59af07fbccb7a168df1cc6a0c4a08f6cba1c1263be006d6557e988105cf86
Instruction ID: e78ded942e7384680804cc7465ce193bcf818cdbaff60011d5edc34d110d21ba
Opcode Fuzzy Hash: 8ae59af07fbccb7a168df1cc6a0c4a08f6cba1c1263be006d6557e988105cf86
Instruction Fuzzy Hash: AD9139B5D24209DFCB18CFA6E5809DEFBF2EF8A350F24902AE515A7264D770A905CF50

Function 07FB0B3D Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

z^I, xrefs: 07FB0D51

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 469da52d1513a0fa57045bd46e72f89b1b337c2dc75a47e5d2c15c8bea39fd9b
Instruction ID: fd8eac32fe23cfe5a8c6d28672e479de33216cb0cf8d2abd7281941dfed98d13
Opcode Fuzzy Hash: 469da52d1513a0fa57045bd46e72f89b1b337c2dc75a47e5d2c15c8bea39fd9b
Instruction Fuzzy Hash: 2AA126B5E142198FCB18CFAAC8846DEFBB2FF89310F18902AD415AB254DB349945CF64

Function 07FB0B76 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

z^I, xrefs: 07FB0D51

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: dc9c710619c2d5be16bc691b899111fa4b68350febf1e755a9c550b6904e9bfa
Instruction ID: 454f418d4190bdbda2af9ac33fb6e1ae044924b70fb8dd4845a73a5f269e3894
Opcode Fuzzy Hash: dc9c710619c2d5be16bc691b899111fa4b68350febf1e755a9c550b6904e9bfa
Instruction Fuzzy Hash: 3EA1E3B5E142198FCB18CFAAC5846DEFBB2FF89300F24942AD415AB254D7349945CF54

Function 07FB0B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 07FB0D51

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: c24347d354042cc4bfcaeeddbea7a6325f7c23dcb1836c6b2e6dede28a948e32
Instruction ID: f0025d63b379d6547590a2b846991526d2447c5be2bfa0328808ded47b171bf4
Opcode Fuzzy Hash: c24347d354042cc4bfcaeeddbea7a6325f7c23dcb1836c6b2e6dede28a948e32
Instruction Fuzzy Hash: 9491C3B5E142198FCB18CFAAC584ADEFBB2FF89300F24942AD415BB254DB349945CF64

Function 07FB8090 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 07FB81CE

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 503c4d1b178b33ac8efc6882fe5c8fd603cdbd5ea1df7046ab741d8d2d8092a5
Instruction ID: 886b1f2538f971745055eb3262f9e70e7dd5085478650c507082b4b75081dc09
Opcode Fuzzy Hash: 503c4d1b178b33ac8efc6882fe5c8fd603cdbd5ea1df7046ab741d8d2d8092a5
Instruction Fuzzy Hash: 3A7135B5E1960ADFCB04CFA6D9414AEFBF2EF89281F04D46AD416E7254DB349A018F90

Function 07FB80A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 07FB81CE

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: df10d36d81e0f30fbd8911109d17b78297259e4409977bf5d281b8cdbad62b95
Instruction ID: 22c029fbac421d929ba93940b10df1b3de35162d2bc3d6d12be473caa2c25b15
Opcode Fuzzy Hash: df10d36d81e0f30fbd8911109d17b78297259e4409977bf5d281b8cdbad62b95
Instruction Fuzzy Hash: 146146B5E1960ADBCB04CFA6D9414AEFBF6FF89281F04D46AD416F3214DB349A018F90

Function 0539B9B8 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fff1dad80b81308ff25abfd53acfae0dfb7e6f3042590d2cd2c1f692186c1e4
Instruction ID: cfc3a691c79291a0afae7868cd2d3d3a957cf3708b5d42a8f9c76188ebb1cc6b
Opcode Fuzzy Hash: 5fff1dad80b81308ff25abfd53acfae0dfb7e6f3042590d2cd2c1f692186c1e4
Instruction Fuzzy Hash: FAE1ABB1B053048FDB29DB65D464BAEB7FAAFC9700F10846DD18ADB2A0CB74E901CB51

Function 07FB9FC8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c9204f5b55f2af03fddaace7f35a362631b66a19afa66d21d472d9aa44a9b5
Instruction ID: 940d91d9efbd1b8e27e355e3a58c83b18fea935465903896768659ed89f6b48e
Opcode Fuzzy Hash: b4c9204f5b55f2af03fddaace7f35a362631b66a19afa66d21d472d9aa44a9b5
Instruction Fuzzy Hash: 51B1E5B1D15219DFCB28CFA6D5805DEFBB2FF89340F24D42AD419AB254DB35AA068F10

Function 07FB9FBA Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9523b0594e6a16604bc4e0a6b7d4a689a25dea34424fa3ebf3c0d39ecd719128
Instruction ID: 7f63dc3b1c90544cb9c7a3fadd15b23d58dffece33c75ef2b885436a4159d005
Opcode Fuzzy Hash: 9523b0594e6a16604bc4e0a6b7d4a689a25dea34424fa3ebf3c0d39ecd719128
Instruction Fuzzy Hash: CEB1E4B1E15219DFCB28CFA6D5805DEFBB2FF89340F24D42AD419A7254DB34AA068F10

Function 07FB1E7A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d21a8037d0e07ca0635575d85750997d93bc259575b42c8ff38b52cd65fa76
Instruction ID: d27a8ca01c5533223b4cb78d9057f318946b62143fccf5dd6e70e8846fa5504b
Opcode Fuzzy Hash: 73d21a8037d0e07ca0635575d85750997d93bc259575b42c8ff38b52cd65fa76
Instruction Fuzzy Hash: B03117B1E056588BDB18CFABD9502DEBBB3BFC9310F14C06AD409AB264DB345A46CF50

Function 05399CF5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c02e21816f7bbdefebf731bee79475c0e741fdc81c7fd2b43323297c4bde96
Instruction ID: 7b39a5a3d29c6b646414bab8dc65dfed2d7b79996f24eecdcea9e5b6fb4fa6b1
Opcode Fuzzy Hash: 81c02e21816f7bbdefebf731bee79475c0e741fdc81c7fd2b43323297c4bde96
Instruction Fuzzy Hash: 1A111CB5909214CFCF28CF54E8447F8B7BDAB4A311F04A19A840EA3661D7359A85CF50

Function 05399C14 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8991bd3af3b035da2d6bdcd3ffb09a4eccfb0123006ce04c56d06acd8c897e
Instruction ID: e684463c0f2c6a3b8e334249a4236d9be5cfa8fb39c440bfa945ebaf92c947b9
Opcode Fuzzy Hash: bb8991bd3af3b035da2d6bdcd3ffb09a4eccfb0123006ce04c56d06acd8c897e
Instruction Fuzzy Hash: 2DF0E7B594D258CFCF18CF90E8483F9B7BDAB4A351F4061AAC40AA2651D7358A95CF50

Function 0193D4C9 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0193D556
GetCurrentThread.KERNEL32 ref: 0193D593
GetCurrentProcess.KERNEL32 ref: 0193D5D0
GetCurrentThreadId.KERNEL32 ref: 0193D629

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fb1a10ec64fc9c5a21a9b099793acef7b4999794e0e355a09a6b60922e3c25e7
Instruction ID: 13b97001131624994be59816fab7b271a423059a89fbeeb58f0eb06b27aac7a9
Opcode Fuzzy Hash: fb1a10ec64fc9c5a21a9b099793acef7b4999794e0e355a09a6b60922e3c25e7
Instruction Fuzzy Hash: BA5169B090034A8FDB14DFA9D5487AEBFF1BF88315F248459E419A7390DB349944CF65

Function 0193D4D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0193D556
GetCurrentThread.KERNEL32 ref: 0193D593
GetCurrentProcess.KERNEL32 ref: 0193D5D0
GetCurrentThreadId.KERNEL32 ref: 0193D629

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7260ca672dd8846da0daab1346a7d8572978e03a614e5c78eaf741c9a6927f7
Instruction ID: a5634bc06c420251915f65a5164a6dde03f0950cf91c43a4733d4a42e51e2cb4
Opcode Fuzzy Hash: f7260ca672dd8846da0daab1346a7d8572978e03a614e5c78eaf741c9a6927f7
Instruction Fuzzy Hash: 9C5157B090030A8FDB54DFAAD548BAEBFF5BF88314F208459E419A7390DB74A944CF65

Function 05395687 Relevance: 1.8, APIs: 1, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 05395825

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: ActiveWindow
String ID:
API String ID: 2558294473-0
Opcode ID: c5946bf69681462b91b04bf44a5ae80c415c128886f51b8e03dd8edaa2bab227
Instruction ID: a5dbe7ab4b010b9db74791d07d85beb01c0921a39661f5275ec6eb99ca82de37
Opcode Fuzzy Hash: c5946bf69681462b91b04bf44a5ae80c415c128886f51b8e03dd8edaa2bab227
Instruction Fuzzy Hash: 47C19F71F143199BDB19AFA594547AE7BE6BFC9300F148828D806EB380DF789C42CB65

Function 053947C4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05394A06

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a0e951d3f6b4110499de6252cfb5e819a4251acb53ac8bbd020158752c041f9a
Instruction ID: 414540689acc08e3d602958cc65365497901bdaef112914b92e3dc3f43f42401
Opcode Fuzzy Hash: a0e951d3f6b4110499de6252cfb5e819a4251acb53ac8bbd020158752c041f9a
Instruction Fuzzy Hash: 45A15BB1D0475A8FEF15DF68C840BEDBBB2BF48310F1485A9D809A7240DB759982CF91

Function 053947D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05394A06

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ae0f10d7863cc9d54382686dd2f973fff6c713a30c38a85f132c21224c11ecfa
Instruction ID: 839a9eac53f97f3397c887e5b728678ebafeb5aa0975417f7ed69208221b5436
Opcode Fuzzy Hash: ae0f10d7863cc9d54382686dd2f973fff6c713a30c38a85f132c21224c11ecfa
Instruction Fuzzy Hash: FB914BB1D0475A9FEF14DF68C840BEEBBB2BF48310F148569E809A7240DB759986CF91

Function 0193AE48 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0193B09E

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7bf630b97ac635244d680455d60a2dea504f4918bfe28944880775c739e3baa4
Instruction ID: 185a2d4262a34ab67287eceaa4f8bbac1517cd98f2f14bae99113fae22141b1f
Opcode Fuzzy Hash: 7bf630b97ac635244d680455d60a2dea504f4918bfe28944880775c739e3baa4
Instruction Fuzzy Hash: 517135B0A00B058FE724DF2AD45475ABBF5FF88301F008A2DE49AD7A90DB75E845CB95

Function 019344B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019359C9

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f21d0c144f0b66a6c91c56f6812eb61de89d41a9b60ec01e10d297cd96004ffb
Instruction ID: b6a9af1555fb599abb94e3b15579932591a71cb2349d4fca833632c4a9998af2
Opcode Fuzzy Hash: f21d0c144f0b66a6c91c56f6812eb61de89d41a9b60ec01e10d297cd96004ffb
Instruction Fuzzy Hash: 7141E0B0D0071DCBEB24DFAAC884B9EBBF5BF89704F20815AD408AB251DB755946CF90

Function 0193590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019359C9

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3c77bf88601e1a0e7ae7a89116280ba58027d6a7bfde7401f70fe56e2c18f6d1
Instruction ID: 6856931dc434f998463831f9166185101e568d459b08c0d9230e3e0ee3d3ae0f
Opcode Fuzzy Hash: 3c77bf88601e1a0e7ae7a89116280ba58027d6a7bfde7401f70fe56e2c18f6d1
Instruction Fuzzy Hash: 1041E0B1D00719CFEB24DFAAC884B9EBBB1BF89704F60816AD408AB251DB755946CF50

Function 05394109 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053941A0

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3b33dcbc8e6b611bf62165f224508b57c5e9191a5cea10803abcd2c21209e854
Instruction ID: 58cd6aad6ae199940c2e3ebaca26d2f80a5fb3a578efe7d4e0452de12e107861
Opcode Fuzzy Hash: 3b33dcbc8e6b611bf62165f224508b57c5e9191a5cea10803abcd2c21209e854
Instruction Fuzzy Hash: C2215AB19003499FDF14DFAAC881BDEBBF5FF88310F108429E919A7240C7789944CB61

Function 05394110 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053941A0

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 30f7ec4faab185d5050960b599778a9e4851365f2018250659ee0403ec3032bf
Instruction ID: e008ec6c1d43587be08251a41c7f2c28f317d3c1b23ee719ec6ee2b075149446
Opcode Fuzzy Hash: 30f7ec4faab185d5050960b599778a9e4851365f2018250659ee0403ec3032bf
Instruction Fuzzy Hash: 502127B59003499FDF14DFAAC881BDEBBF5FF88310F108429E919A7240C7789945CBA1

Function 05396A90 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 05396B22

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: dbf32987a6cfb71d7b059f713e869c8ac05d0658d8959ea3081393adbc3aa117
Instruction ID: 1578877f4df680e098ba762e1b2fffc277fa24c921f1daf80eb648dd8ce80c7f
Opcode Fuzzy Hash: dbf32987a6cfb71d7b059f713e869c8ac05d0658d8959ea3081393adbc3aa117
Instruction Fuzzy Hash: 013176B590034A8FCB00DF9AD484A9EBFF0FF89310F148559D419AB311D774A844CFA1

Function 05394633 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053946B8

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5bd5254d1a66c50b0f5afca3bd426001d4a5d6576ca2c39aabf4f0ef193839ee
Instruction ID: 445ba6bd0ef30c91bd58d9068935b6e503dce92943d324901f9c823553aa4d02
Opcode Fuzzy Hash: 5bd5254d1a66c50b0f5afca3bd426001d4a5d6576ca2c39aabf4f0ef193839ee
Instruction Fuzzy Hash: E92128B19003499FDF14DFAAC881BEEBBF5FF48310F50842AE919A7240C7789901CBA5

Function 05393B38 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05393BBE

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0cb4d12f48453ff15dbe427561024d188893e7292c725fdabc4af000209c288c
Instruction ID: 534ae6bc11cc7b5509fd595fe22da2bf8a823a6a75764af89c9f7c47d7346306
Opcode Fuzzy Hash: 0cb4d12f48453ff15dbe427561024d188893e7292c725fdabc4af000209c288c
Instruction Fuzzy Hash: 4B213AB1D003098FDB14DFAAC4847EEBBF5BF88324F148929D419A7280CB789945CFA0

Function 05394638 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053946B8

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0f63cc04da6583ee5ed2d3e6be8f2758242c4d2fa1650722122768838bce387f
Instruction ID: 6b98fdcf92c3c15f953b1db0e185d32ff5c63fd6fecab73b891615fbe33dd645
Opcode Fuzzy Hash: 0f63cc04da6583ee5ed2d3e6be8f2758242c4d2fa1650722122768838bce387f
Instruction Fuzzy Hash: 402128B19003499FDF14DFAAC880BEEBBF5FF48310F508429E919A7240C7789901CBA5

Function 05393B40 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05393BBE

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c80a5180b4461bf8f7941cd654f2dacdfd6802a612681548ea9c81ed55677035
Instruction ID: d8634811a41a9835e707472b4c4566ec4ae50f3eeb46ad01359e1c11754a40fc
Opcode Fuzzy Hash: c80a5180b4461bf8f7941cd654f2dacdfd6802a612681548ea9c81ed55677035
Instruction Fuzzy Hash: 752118B19003098FDB14DFAAC485BAEBBF5AF88214F148829D559A7240CB789945CFA5

Function 0193D720 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0193D7A7

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fca58701f90babca352e261ddf38aa2d44b619dfb5d9ad95fa26a6e067de9c6a
Instruction ID: cca8a1aab48fcb4c707bbda91880b9ed09b6541d7db2069ecbe6e3af18d38067
Opcode Fuzzy Hash: fca58701f90babca352e261ddf38aa2d44b619dfb5d9ad95fa26a6e067de9c6a
Instruction Fuzzy Hash: 9A21B3B59002499FDB10DFAAD884ADEBBF9EB48310F14841AE919A3350D374A954CF65

Function 0193D719 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0193D7A7

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8004fe36c42afeac3091fe8ac8fd18944496bdeb2ef89a8addb35c55edcf1012
Instruction ID: 14c0a9d36beecd162382fc60a85834a2c297808614c161ba3778c63c9686afc5
Opcode Fuzzy Hash: 8004fe36c42afeac3091fe8ac8fd18944496bdeb2ef89a8addb35c55edcf1012
Instruction Fuzzy Hash: 7421E2B5D003499FDB10CFAAD584AEEBBF5FB48310F14841AE918A3350D378A950CF61

Function 05396B89 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05396C01

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: f85a666162b883d35afc652c5f878b7b54999652fe2d2ecfee5109f2cae75c51
Instruction ID: 21468ec8eb89ed78d03ead34b0206eebc74cbcba84713396cf298c3d6774bc13
Opcode Fuzzy Hash: f85a666162b883d35afc652c5f878b7b54999652fe2d2ecfee5109f2cae75c51
Instruction Fuzzy Hash: C6215BB1D002098FDB14CF9AC845BEEFBF9FB88310F148429E418A3240D778A941CFA5

Function 05397078 Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 053970FD

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 0c108a2952d02f04da92aa7ccfe888df30c8ca2bc5f66919023a23e439675cf6
Instruction ID: 93c79dae361958e276ee9504a0e2ce5579de8a9bb7ab53c819724dfb6f902ed0
Opcode Fuzzy Hash: 0c108a2952d02f04da92aa7ccfe888df30c8ca2bc5f66919023a23e439675cf6
Instruction Fuzzy Hash: F62102B69003499FCB14CF9AD884ADEFBF5FB89310F10852EE819A7240C375A544CFA1

Function 05396B90 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 05396C01

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 9d6a7f5a61d6e8de7a58e789e8b8cdae1ee309d3c51724d9ca9090be832c7ecd
Instruction ID: e8e51b8f77b1cd1f43cbde70beb41463032c9c8580b15603a072124b46a89c1a
Opcode Fuzzy Hash: 9d6a7f5a61d6e8de7a58e789e8b8cdae1ee309d3c51724d9ca9090be832c7ecd
Instruction Fuzzy Hash: 0B2138B1D0020A8FDB14DF9AC845BEEFBF5FB88320F14842AD418A3250D778A945CFA5

Function 05397080 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 053970FD

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 0d028fa7f14184a83f4556abaeaa41a36d98474e7a40f0977f10883f8a72f200
Instruction ID: c6c08301b62a1ef62b1badb125d0a38b4e27daad70c21994ae3870d6248c629d
Opcode Fuzzy Hash: 0d028fa7f14184a83f4556abaeaa41a36d98474e7a40f0977f10883f8a72f200
Instruction Fuzzy Hash: 0021E0B69043499FCB14CF9AD884ADEFBF5FB89310F14852EE819A7240C375A945CFA1

Function 07FB7CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07FB7D33

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 04a1ff4e5b6b04c766b26d1ed071412f68a06f0c5d2b9dfcfdd4d39ceaca6115
Instruction ID: 91c4f726dea5942904d0848beb79bb97b0b03d307be497c3d23d2c3b3d7f03d2
Opcode Fuzzy Hash: 04a1ff4e5b6b04c766b26d1ed071412f68a06f0c5d2b9dfcfdd4d39ceaca6115
Instruction Fuzzy Hash: F721E7B5D002499FDB10DF9AC484BDEFBF4FB48320F14842AE958A7250D778A545CFA1

Function 07FB7CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07FB7D33

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a04a5eac452ec7eb21d4b1370f952add16f61491cc3ddce76c80fe42c1aa231c
Instruction ID: 33076260e1391c4278598908e857c601f2e7d199942014b43bd1399a51ec2327
Opcode Fuzzy Hash: a04a5eac452ec7eb21d4b1370f952add16f61491cc3ddce76c80fe42c1aa231c
Instruction Fuzzy Hash: 3A21D8B5D0024A9FDB10DF9AC484BDEFBF5FB48310F14842AE458A7650D7789945CFA1

Function 05394050 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053940BE

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34bf821f98cfa59be5b20fd242b4882dce99570044ff4fa5faf391467a0200e3
Instruction ID: 29a460877f4f16da2ef130d8e7bc6daea4f1af28ab4ca01e7f169d4e1b0bf22c
Opcode Fuzzy Hash: 34bf821f98cfa59be5b20fd242b4882dce99570044ff4fa5faf391467a0200e3
Instruction Fuzzy Hash: 3D1144719003498FDF24DFAAC844BDEBBF5AB88320F108819E519A7250C7759910CBA0

Function 05394048 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053940BE

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f6417f8dd3ef2645bd693a328678c0779dddd83dfc411e57ba8642c749c0311
Instruction ID: 43c07f3c9f6dde00688a0ade7c95d5cf58560be4c7ca24369aaf9183fffdd2ea
Opcode Fuzzy Hash: 6f6417f8dd3ef2645bd693a328678c0779dddd83dfc411e57ba8642c749c0311
Instruction Fuzzy Hash: 3E1189768003498FDF14DFA9C841BEEBBF5BF48310F108819E919A7250C7359511CF90

Function 05393681 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 053936EA

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 532a39a041a791fe11a8b24d9698fadf4781fa345c38e60d0c7d321cf727bd39
Instruction ID: 0c41eedab657a695579b5f26ef1483cdda7121944e1e6bc804ce2037875803d4
Opcode Fuzzy Hash: 532a39a041a791fe11a8b24d9698fadf4781fa345c38e60d0c7d321cf727bd39
Instruction Fuzzy Hash: F21158B5D003498FDB24DFAAC4457AEFFF9AB88220F248819D419A7240CB75A944CBA4

Function 05393688 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 053936EA

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a5ccb2368f30ce5d5040f4226f55679a0af09446f4666cc200a08f19109de5ec
Instruction ID: 36c3bdee10041397e839c55dc2f2c24f1a9504b649d81db99580791e58d66310
Opcode Fuzzy Hash: a5ccb2368f30ce5d5040f4226f55679a0af09446f4666cc200a08f19109de5ec
Instruction Fuzzy Hash: 26116AB5D003498FDB24DFAAC4447DEFBF9AF88220F208819D419A7340CB75A904CFA4

Function 0193B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0193B09E

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 552094c74790373705b9face94a6e48b2756f608475ecfa39dffa79c8dbda518
Instruction ID: 06fa8172864772ae2240f5616243d714f20b2e56e8865b52710cf49b217d6a97
Opcode Fuzzy Hash: 552094c74790373705b9face94a6e48b2756f608475ecfa39dffa79c8dbda518
Instruction Fuzzy Hash: 6011E0B5D003498FDB24DF9AC444BDEFBF9AB88324F10841AD929A7610D379A545CFA1

Function 05395F00 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 053966B5

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a9af7d88dc57ac2ab73fabd5b5206473871645185bdec842e9bf49988bbac6d3
Instruction ID: 1f2e9f5b228c81500516fe14bef23d70e81f391157fb9675b828198028843f51
Opcode Fuzzy Hash: a9af7d88dc57ac2ab73fabd5b5206473871645185bdec842e9bf49988bbac6d3
Instruction Fuzzy Hash: FB1115B59047498FCB20DF9AD585B9EFBF8EB48320F108419D519A7700C379A944CFA5

Function 05396658 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 053966B5

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1cb1926e8c85196439d29ebecd0b078c3736e589e9db7d9a9058172a1d05bc3e
Instruction ID: 17838845745a6a33da4ed23f4039c86c08e62abd91b79ab46cb21dadad37469f
Opcode Fuzzy Hash: 1cb1926e8c85196439d29ebecd0b078c3736e589e9db7d9a9058172a1d05bc3e
Instruction Fuzzy Hash: 0C1145B5C04349CFCB20DFAAC549BDEBBF4AB48210F10840AD558A3300D378A544CFA6

Function 05397428 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05397485

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c090fcf6c717de2272bc738072c2eacbc8117a1e56268e87abdf3f6dfaf558b5
Instruction ID: 565c4ecf649fc96c12d1e90f49a1283beb5e099a5d572cbb45f6924549d36e81
Opcode Fuzzy Hash: c090fcf6c717de2272bc738072c2eacbc8117a1e56268e87abdf3f6dfaf558b5
Instruction Fuzzy Hash: 4011D0B58043499FDB20DF9AC885BDEBFF8FB48720F10841AE918A7640C375A954CFA1

Function 05397420 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05397485

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e43a3d0abc8fe82391c8a909335257e038966a863fcb580ba9cb816a752ae905
Instruction ID: 96ce9e97c95c9303cef95c7d1ab0dfa62f9400d2af56dac549ae57afd6ce187e
Opcode Fuzzy Hash: e43a3d0abc8fe82391c8a909335257e038966a863fcb580ba9cb816a752ae905
Instruction Fuzzy Hash: B41103B58003498FDB10DF9AC585BDEBFF4FB48310F10881AE558A3240C374A954CFA5

Function 0152D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1553799948.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b9e7646f4738de25bd8068919c257f1257a4aa3fa179006949148b6e8ac584
Instruction ID: d684c10f786a9332556b569c1e51213c8d8f1162319bee7214b27fc2a08b8c63
Opcode Fuzzy Hash: c3b9e7646f4738de25bd8068919c257f1257a4aa3fa179006949148b6e8ac584
Instruction Fuzzy Hash: 4A2121B2604204DFDB05DF44D9C4B5ABBB5FB88324F20C569E8090F286C37AE446CAE2

Function 0167D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554305252.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8022d7f6a2bb5239d6cdc143f36392f5319d25ac219447af1950037d84d66192
Instruction ID: c92c5e1e7f6b8c32326a180c79aedfb591e23e12fa80080a5aa79490b941fa0b
Opcode Fuzzy Hash: 8022d7f6a2bb5239d6cdc143f36392f5319d25ac219447af1950037d84d66192
Instruction Fuzzy Hash: 17210071604300AFDB01DF94D980B26BBA1FF84224F20CAADEA4A4B382C336D447CA61

Function 0167D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554305252.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42819e10f3704a65b42392eb0e6b7135dcbb2186301ae490408fa1ebdeead025
Instruction ID: ce8926d2bcd5230fa7592a4e842c8d4cf3d86880631904f51f5433c97f1cb829
Opcode Fuzzy Hash: 42819e10f3704a65b42392eb0e6b7135dcbb2186301ae490408fa1ebdeead025
Instruction Fuzzy Hash: B021D075604304DFDB16DF64DD84B16BB65FF84214F24C96DD84A4B386C33AD447CA62

Function 0152D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1553799948.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 8aa1d550a3b7434a78fd833827725738779fbdb1e16c7c9dcf56c867c4698d69
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 3311CD76504280CFDB02CF44D9C0B5ABF72FB84224F2482A9D8090E297C37AE456CBA1

Function 0167D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554305252.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: b44c9846b85d43938e927191fd5bad2c47013d8974c70e52b49fe53e93c21f16
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 1411BE75504280CFCB12CF54D9C4B15BB62FB44314F24CAA9D8494B796C33AD40ACB61

Function 0167D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554305252.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_167d000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 47a80e30028b7fc99d55ed888e7c1277abc88fbdbae6fdaae5f951b22e1da2d5
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: B711BB75504280DFCB02CF54C9C0B15BFA2FF84224F28CAADD9494B396C33AD40ACB61

Non-executed Functions

Function 07FBA570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 07FBA748

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 7c048e0ea227b194cf70d8989add0000c73ca859f59ed560bd1062bddcf0a0ec
Instruction ID: a0a23434aec6e602eb6b69e72274d94c21efcbbe312f613976860d9d786c9dcc
Opcode Fuzzy Hash: 7c048e0ea227b194cf70d8989add0000c73ca859f59ed560bd1062bddcf0a0ec
Instruction Fuzzy Hash: 59D109B1E15659DBCB18CFAAD9805DDFBF2BF89300F18D52AD419AB224D7309942CF50

Function 07FBA560 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

{#L, xrefs: 07FBA748

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 52fb16a29e182babfaf91d6a7d1daa7c92f02aaabebef9364f3ab3a5eef88b0d
Instruction ID: 0d805d3d360cc71edb1fda0d27c6c7eab5556d0c461358a50783020f642004b0
Opcode Fuzzy Hash: 52fb16a29e182babfaf91d6a7d1daa7c92f02aaabebef9364f3ab3a5eef88b0d
Instruction Fuzzy Hash: 17D117B1E15659DBCB18CFAAD9805DDFBF2BF89300F18D52AD419AB224DB309942CF50

Function 07FB18D9 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

98R, xrefs: 07FB1A43

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: f0a46617646d2a195441ef473146564cd0457559d487157ed290dedb7479019c
Instruction ID: 23ecf015f2eb605e36638d8f7546c38593e2252d0e7fa7e7f08f9bd77341ad27
Opcode Fuzzy Hash: f0a46617646d2a195441ef473146564cd0457559d487157ed290dedb7479019c
Instruction Fuzzy Hash: 9D7127B5E1424E9FCB14CFAAD4919EEFBB2FB89310F148429D415AB354D334AA42CF94

Function 07FB8698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 07FB87AE

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 55bdf9455a0b4e6bac1e9cacc8d80e9e6a39ae43c069bbda569f5283993977f0
Instruction ID: bc41b219a26cde34493a25de42459d53d2c5d63b8038f08b3036174729badbff
Opcode Fuzzy Hash: 55bdf9455a0b4e6bac1e9cacc8d80e9e6a39ae43c069bbda569f5283993977f0
Instruction Fuzzy Hash: 9A5122B5E15219DFCB18CFAAD9455EEFBF6BF89300F24902AE405B7210EB3499418F94

Function 07FB8688 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 07FB87AE

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 81f8b0fa9f1c7ca89bc20c7cea332ed9a3b6f07321aa19acaea405e0d8548a18
Instruction ID: 160f8678e4f007d8c762c14a4497224564c03ff10eee4b49631e253b8051a510
Opcode Fuzzy Hash: 81f8b0fa9f1c7ca89bc20c7cea332ed9a3b6f07321aa19acaea405e0d8548a18
Instruction Fuzzy Hash: 635114B9E15219DFCB14CFAAD9455EDBBF2BF89300F24902AE405F7350E7349A418B94

Function 07FB1440 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

-2m, xrefs: 07FB1563

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 67548349384f461b68156c59c22ef5bd977b6bcb932e9ee4a6d77215edbb88e4
Instruction ID: 2d58ccf40abb23c7e315f913bb302866af46d7acd270bebe890084e6778d598f
Opcode Fuzzy Hash: 67548349384f461b68156c59c22ef5bd977b6bcb932e9ee4a6d77215edbb88e4
Instruction Fuzzy Hash: D15139B1D04219CFDB08CFAAC5946EEFBF2FF89301F28906AD419A7254D73489418B64

Function 07FB8A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07FB8BC5

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 5b2f25d574b4692ff0ffe30a72295f47a78e998c130a6282e817bcbce644c016
Instruction ID: a72c49bd183911685fb109d5aac2cee81dc42ef4d5968422e059c2104165cf16
Opcode Fuzzy Hash: 5b2f25d574b4692ff0ffe30a72295f47a78e998c130a6282e817bcbce644c016
Instruction Fuzzy Hash: D34137B5D14219DFCF14CFAAC5405EEFBB9FB8A281F18942AC416B7244D7388642CF98

Function 07FB8A80 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07FB8BC5

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 09f0e01041c048bcb55ad63d9c9a033d360ba69cdad8001d94c5bb3ec2a61ca2
Instruction ID: 8417668f6e30fd741782503fdcc2de16a02d3a111131ab017f142842feed8253
Opcode Fuzzy Hash: 09f0e01041c048bcb55ad63d9c9a033d360ba69cdad8001d94c5bb3ec2a61ca2
Instruction Fuzzy Hash: 47414AB1D15219DFCB14CFA6C5416EEFBB5FB89241F18D82AC006B7254D7388642CF98

Function 07FB5588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 07FB56F3

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 565df0e70da969b16297b4d1738931644348c8835928f9911b5371cb8a51b625
Instruction ID: 2f531d7e48237dafcf8f98bf79b46b4cc06a32254c6739f10755480bead09fd5
Opcode Fuzzy Hash: 565df0e70da969b16297b4d1738931644348c8835928f9911b5371cb8a51b625
Instruction Fuzzy Hash: 275169B1E056188BDB68DF6B8D4479EFAF3BFC8300F14C1BA950CA6254EB344A858F11

Function 07FB5578 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

0ni, xrefs: 07FB56F3

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 7f82223d4b093bcb7912e5afd6b3bbef29073c627998cbbc445a3bbd1fb48dc1
Instruction ID: 524a4cc431efe60d5d960474132e46a439267cd4809e183ca36cf03ff70474d9
Opcode Fuzzy Hash: 7f82223d4b093bcb7912e5afd6b3bbef29073c627998cbbc445a3bbd1fb48dc1
Instruction Fuzzy Hash: 82516BB1E056188BDB68DF6B8D4579EFAF3BFC8300F14C1BA940CA6254EB344A858F51

Function 05393C18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9864f744cc7a58d1a7efefc6bc1e689bf612e1a2dc8cd20b02bf8eb7f790cd4
Instruction ID: 639c00203878e65ca3678f37b0dcc2ed746b659c39831b757650f86eda72b00f
Opcode Fuzzy Hash: e9864f744cc7a58d1a7efefc6bc1e689bf612e1a2dc8cd20b02bf8eb7f790cd4
Instruction Fuzzy Hash: 9EE138B4E002198FDB14DFA9C580AAEFBB2FF89305F248569D444AB355D731AD42CFA0

Function 05391620 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052632ad2eb7a9916b5d53a5b8f373ec1653889a83d8d4eb51ccb531702d5cbb
Instruction ID: 6aee6b7515af3149fb988d123c9c5f457c47409a09f852ba2282bc9e14d1e36c
Opcode Fuzzy Hash: 052632ad2eb7a9916b5d53a5b8f373ec1653889a83d8d4eb51ccb531702d5cbb
Instruction Fuzzy Hash: 21E12CB4E0421A8FDB14DF99C580AAEFBB2FF89304F248159D854AB355D730AD42CFA0

Function 05391E90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859235ffd5c2f31a20be36fe8a2facce85579545788339e203e991e4d81bc541
Instruction ID: c0fc90c4867b1aa6a07b55dc516b4fd2f08b37e9a2b13ecf5705e63fe2d0351d
Opcode Fuzzy Hash: 859235ffd5c2f31a20be36fe8a2facce85579545788339e203e991e4d81bc541
Instruction Fuzzy Hash: 90E11CB4E006199FDB14DF99C5809AEFBB2FF89304F248169E455A7355C731AD41CFA0

Function 05394200 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb60bca841e6ecda45d0551b4af308b39112d44335cd207a0a4b5fa688ed454c
Instruction ID: ac38bea5d427e8221f87f70d2eeb25524fb03773851be0bf90b0948b4d642577
Opcode Fuzzy Hash: cb60bca841e6ecda45d0551b4af308b39112d44335cd207a0a4b5fa688ed454c
Instruction Fuzzy Hash: F8E1E4B4E042198FDF14DFA9C580AAEFBB6FF89305F248169D454AB355D730A942CFA0

Function 05391A58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1560543141.0000000005390000.00000040.00000800.00020000.00000000.sdmp, Offset: 05390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5390000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6e2f232f6b9fad256f3702ae5829eb49117beed0cf1b1fab5c255e8df8af8b
Instruction ID: ecab2f881e1e3a91256601348927afc6cb2cb4345340f5d97f0c03b3d3a58b41
Opcode Fuzzy Hash: 4a6e2f232f6b9fad256f3702ae5829eb49117beed0cf1b1fab5c255e8df8af8b
Instruction Fuzzy Hash: CBE11BB4E0421A8FDB14DFA9C580AAEFBB2FF89305F248169D454AB355D730AD41CFA0

Function 0193D404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1555109476.0000000001930000.00000040.00000800.00020000.00000000.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1930000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82932a2d76c2bbf277b166181faac483dcced0e2d8e3a7d5fa61754742608a76
Instruction ID: a92808a732cd4d127e5311bf7f808d903d0445d722a10bba7c5b0cabf21f3b6f
Opcode Fuzzy Hash: 82932a2d76c2bbf277b166181faac483dcced0e2d8e3a7d5fa61754742608a76
Instruction Fuzzy Hash: 4BA19F32E0031A8FCF15CFB4D84099EBBB6FFC5301B15856AE90AAB265DB71E905CB41

Function 07FB3CF8 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b1a4db679a849d8835b071a0131e2fa0d4389b10486e903c6b8c9570a5d4bd
Instruction ID: f730d9c4610f1e83c71189eff53ff6a980fc2b3fe6341b78ad4caa12e837bb59
Opcode Fuzzy Hash: 62b1a4db679a849d8835b071a0131e2fa0d4389b10486e903c6b8c9570a5d4bd
Instruction Fuzzy Hash: 089106B5A5521ACFCB14CF9AC58489EFBF1FF89310F258556D419AB220D330EA41CF51

Function 07FB3D08 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2308780dab18ceb9e4120f1eef1192ef705c05f5a3596721fa75f30a3d3cce15
Instruction ID: 81293484f09e996b4fb0588be8990a885fdb4847e9834d490bc11b0c9e0ea7b2
Opcode Fuzzy Hash: 2308780dab18ceb9e4120f1eef1192ef705c05f5a3596721fa75f30a3d3cce15
Instruction Fuzzy Hash: A991E2B5A1521ACFCB14CFAAC58489EFBF2FF89310F659559D415AB320D330AA41CF51

Function 07FB8E40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15d6356b9fc9c4c58547ceef6c904dabd6a6d363158669f09b1bed508a5da2d
Instruction ID: 544567cf2112e032a48456ccefcad6ace2beab6fee3a6a47d70696363003d6d6
Opcode Fuzzy Hash: f15d6356b9fc9c4c58547ceef6c904dabd6a6d363158669f09b1bed508a5da2d
Instruction Fuzzy Hash: 4A81EAB4D14219CFDB14CFA9C580AAEFBB6FB89305F24C199D458A7216D730AA41CF61

Function 07FB5108 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35596363b823e5703b983754d2f85d629751a0362e8423db7068d54ca6ffe14
Instruction ID: 3ef56340b0b3cbf4e05d0932e6f83cd06030d93fadf2cf272221e0362adfe193
Opcode Fuzzy Hash: b35596363b823e5703b983754d2f85d629751a0362e8423db7068d54ca6ffe14
Instruction Fuzzy Hash: C6714AB5E15609CFCB04CFAAC9805DEFBF2FF89210F28942AD415F7264D3349A418B64

Function 07FB5118 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15cbe3ba606256be4283f6eb1a02c4577ba599d519bafa7c29657b7a3bfdc4a
Instruction ID: ab7f9fc92a942ff76c6459a8162964692382874a19cc43196179ce93eea3fd31
Opcode Fuzzy Hash: a15cbe3ba606256be4283f6eb1a02c4577ba599d519bafa7c29657b7a3bfdc4a
Instruction Fuzzy Hash: 1C71F7B5E15609CFCB14CFAAC9805DEFBF2FF89210F28942AD515B7224E3349A518B64

Function 07FB8348 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c33323f4d1ba4c81a1b9cdd5f2554e8ff6a4082f5c446be2a459c8d1e3bed13
Instruction ID: 442c711c9da6210d620dd1a81fe05f64c9d99416613672d03d1426b54f4e3ab9
Opcode Fuzzy Hash: 8c33323f4d1ba4c81a1b9cdd5f2554e8ff6a4082f5c446be2a459c8d1e3bed13
Instruction Fuzzy Hash: CC418CB1E0920ADFCB14CFA6C5416AEFBF6EFC9240F28946AC105B7264D37487058B95

Function 07FB4F02 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413ac9bf178bf7e46ea4f53b3aa84b68338ac533577cab6877f8d133383a21cb
Instruction ID: 6e5bc613d1d5762b763e40ae2862544250ba520c0848cc90b2e90c81a399c845
Opcode Fuzzy Hash: 413ac9bf178bf7e46ea4f53b3aa84b68338ac533577cab6877f8d133383a21cb
Instruction Fuzzy Hash: 4C41F6B1E0424ADFCB54CFAAD9815EEFBF2EF89200F18C46AD415A7255E3349A41CF94

Function 07FB53A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99d420c866664518bf19fc3879b528ed6937f2493a1af6f9cdd17fd0acdb2c5
Instruction ID: a39630b3ff82d9f7a7cc6d1f383e415229aba26ea152e73a3dede321e43bb2ed
Opcode Fuzzy Hash: e99d420c866664518bf19fc3879b528ed6937f2493a1af6f9cdd17fd0acdb2c5
Instruction Fuzzy Hash: 634117B1E1520ADBCB44CFAAC5815EEFBF2FF89200F28C56AC405B7314D7749A518BA4

Function 07FB5398 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3ee5218cea1f282f501cd9f12112fd8ed3ff15dd0e343a71bbdfdb46d8f216
Instruction ID: cb2b4c4b1348726846ddbb4a4f5e02c73182fd17da6d2e6d614f3d42ebdfd006
Opcode Fuzzy Hash: 1e3ee5218cea1f282f501cd9f12112fd8ed3ff15dd0e343a71bbdfdb46d8f216
Instruction Fuzzy Hash: D1411BB1E1560ADBCB14CFAAC5815EEFBF2EF88300F28C46AC405B7354E7749A518B94

Function 07FB8358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854e00b19f9da9b732cc54cd60cefa9dfe51e15003be7971eccca4a216db0835
Instruction ID: 883191f4f87e4df360df9a90e416268d8417ec096562584a19cf99a24aaf7f3c
Opcode Fuzzy Hash: 854e00b19f9da9b732cc54cd60cefa9dfe51e15003be7971eccca4a216db0835
Instruction Fuzzy Hash: 93416AB1E0520ADFCB14CFA6C5416AEFBF6EFC9340F28946AC105B7264E37497058B94

Function 07FB4F10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ea9c22eba084fc7bf80bdd182ba08eb83c37f263e8f3a447abca15b0d3e04b
Instruction ID: 0917825e408a0048e89207545b3459b1630496e0679979501b148c0230fa14a3
Opcode Fuzzy Hash: 95ea9c22eba084fc7bf80bdd182ba08eb83c37f263e8f3a447abca15b0d3e04b
Instruction Fuzzy Hash: CA41C2B1E0460ADBCB58CFAAD9815EEFBF2EF89200F18C46AD415A7254D7349A41CF94

Function 07FB0006 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116fd3d132a05b24b98887b35d4bbdd072c241b2dde7a14feed58cb7c6ada0f7
Instruction ID: da5e1272d6ebf98e48601dfb8ba2e0a921519dd8a67d42cbb918c6c1c5f7cb59
Opcode Fuzzy Hash: 116fd3d132a05b24b98887b35d4bbdd072c241b2dde7a14feed58cb7c6ada0f7
Instruction Fuzzy Hash: 2C310F71D097548FD719CF6B9C502DABBF7AFCA210F09C0A7C448AB265DB340946CB61

Function 07FB0040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1563069017.0000000007FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fb0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06311a3e2464d7de6b0616145aed119674f40b30e063c9b85d2c71e48df2500f
Instruction ID: 347674354f2e1655fdb69b7bc5d91772aabf21bd56404de38540227976102fc4
Opcode Fuzzy Hash: 06311a3e2464d7de6b0616145aed119674f40b30e063c9b85d2c71e48df2500f
Instruction Fuzzy Hash: DA11EFB1E046189BEB18CFABD8406DEFAF7AFC8200F08C176D51CB6214EB7005468F51

Analysis Process: RegSvcs.exePID: 5608, Parent PID: 2940COMMON

Executed Functions

Function 00429E70 Relevance: 51.9, Strings: 40, Instructions: 1933COMMON

Download Yara Rule

Strings

SJdQxOoXelngmKgWXFKINzsXqLhAfodhlbJaPaUhoff, xrefs: 0042BB3F
cTbNjyyNpXRKLjUvYwySr, xrefs: 0042B58B
XeYdBjxzNfdQLLcMFzNSRiNWBDzobFXz, xrefs: 0042A24C
23361C2F0B111660031C34, xrefs: 0042A221
iqTHSxeqZPmLt, xrefs: 0042A892
xNuLiemXwHKDZenpHPyWhopVnbQjhBn, xrefs: 0042B506, 0042B97F
VUBgslOXrdlWMoGUKaTetp, xrefs: 0042A09E
AumneHRTqZSZRjqAKCOWnyfHlJLBLfVM, xrefs: 0042A5D5
PbNYimtwMGgSZUGMwvEFXPXdXMCrkbMT, xrefs: 0042B732
003B0D2205, xrefs: 0042A6F5
04073C03161D27131B3A2E2F01011F3412, xrefs: 0042B560
2D152B3017101F2E23310D170A1E2126275617143960, xrefs: 0042A867
2C2D1E231E3B1704343D2B023723, xrefs: 0042B682, 0042B829
wRLEwLKeTRBwFCSkknqgONycgJgfgwRksp, xrefs: 0042B22B, 0042B3D5
02110401053F2C5C3704322103, xrefs: 0042A073
tzIsIIvzhLTCeeCyKctYyqfvvRKARTgUctsgLBMTf, xrefs: 0042B069
pacWbrPNzrTDqvgCxfbdp, xrefs: 0042BD93
1F17340A210E35004C5447, xrefs: 0042BAE9
@, xrefs: 0042BFBC
30202733320C2A242928263B1D0B002546102A0427, xrefs: 0042AA59
plaDPqjMxhKEThetVhdNeSFHrLndZkQHSdZWPeGmuSX, xrefs: 0042AA84
2B3B3030222D37270C3B2604123C1F, xrefs: 0042B285
2D3B2D0E021D192A14341F, xrefs: 0042B707
XoXKojSxLVUSn, xrefs: 0042AE05, 0042AF76, 0042BEFD
1721241E20, xrefs: 0042B200, 0042B3AA
LcXjDqRycgXYtRQCqqLZNX, xrefs: 0042B6AD, 0042B854
"@, xrefs: 00429E99
3319280C052616387827360D68, xrefs: 0042ADC7, 0042AF4B, 0042BED2
iDZyCYrWatbAL, xrefs: 0042A747
PnUQRNHdNkUGpgNzBiMzdnIsLOYjoecbKs, xrefs: 0042B2B0
1E0E060F1E020D3977002E04, xrefs: 0042A960
QBOelqwcMYsZcOSbKRXfILqoxsswxtHWmuzPETXcmXR, xrefs: 0042A98B
180C070914, xrefs: 0042A583
C:\\, xrefs: 00429EED
MBYqGuUdbxjgxLcSDNfzwT, xrefs: 0042A463
1E143F1A12022A13, xrefs: 0042B4DB, 0042B954
2013270E1B332F0E1B3B2A514C4705171E2F05191C, xrefs: 0042BD68
311B1F2B3A2D2A28746043, xrefs: 0042BB14
uazlXMBXLTZchJDHJsSWCUrCJRCchKqS, xrefs: 0042BB78
112D1E351432013E, xrefs: 0042A411

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_423000_RegSvcs.jbxd

Similarity

API ID:
String ID: 003B0D2205$02110401053F2C5C3704322103$04073C03161D27131B3A2E2F01011F3412$112D1E351432013E$1721241E20$180C070914$1E0E060F1E020D3977002E04$1E143F1A12022A13$1F17340A210E35004C5447$2013270E1B332F0E1B3B2A514C4705171E2F05191C$23361C2F0B111660031C34$2B3B3030222D37270C3B2604123C1F$2C2D1E231E3B1704343D2B023723$2D152B3017101F2E23310D170A1E2126275617143960$2D3B2D0E021D192A14341F$30202733320C2A242928263B1D0B002546102A0427$311B1F2B3A2D2A28746043$3319280C052616387827360D68$@$AumneHRTqZSZRjqAKCOWnyfHlJLBLfVM$C:\\$LcXjDqRycgXYtRQCqqLZNX$MBYqGuUdbxjgxLcSDNfzwT$PbNYimtwMGgSZUGMwvEFXPXdXMCrkbMT$PnUQRNHdNkUGpgNzBiMzdnIsLOYjoecbKs$QBOelqwcMYsZcOSbKRXfILqoxsswxtHWmuzPETXcmXR$SJdQxOoXelngmKgWXFKINzsXqLhAfodhlbJaPaUhoff$VUBgslOXrdlWMoGUKaTetp$XeYdBjxzNfdQLLcMFzNSRiNWBDzobFXz$XoXKojSxLVUSn$cTbNjyyNpXRKLjUvYwySr$iDZyCYrWatbAL$iqTHSxeqZPmLt$pacWbrPNzrTDqvgCxfbdp$plaDPqjMxhKEThetVhdNeSFHrLndZkQHSdZWPeGmuSX$tzIsIIvzhLTCeeCyKctYyqfvvRKARTgUctsgLBMTf$uazlXMBXLTZchJDHJsSWCUrCJRCchKqS$wRLEwLKeTRBwFCSkknqgONycgJgfgwRksp$xNuLiemXwHKDZenpHPyWhopVnbQjhBn$"@
API String ID: 0-3945222069
Opcode ID: a1cd947c2bf01fc5c32b401e20513a69c62416625261888e9ab338f444ef15a3
Instruction ID: 068364d42aa47788aa083ce228da6e0f9d63f98277de860376323e3d31f6f852
Opcode Fuzzy Hash: a1cd947c2bf01fc5c32b401e20513a69c62416625261888e9ab338f444ef15a3
Instruction Fuzzy Hash: 16130575910228DFDB24DB60DD88BDEB779BF48300F1081EAE50AB6260EB745B89CF55

Function 00410DF0 Relevance: 50.5, Strings: 38, Instructions: 3029COMMON

Download Yara Rule

Strings

IgnoreCase, xrefs: 00413350
2C2623053C2217330A250A, xrefs: 00411181
TAtqaThOGrgRKKISgbUFPHGcPViBhJGjB, xrefs: 00411100
1F0744003A585C501E3906642629480212740A5C4A686138327D7A181039381341102F750B396339555E4F602D174D7C254C357F18040F4F311A411635751F797C, xrefs: 00413366, 004137D4, 00413C42
o, xrefs: 004122EA
JGIfErwnPOeHawxIJAqjbRtdshPYzAMwF, xrefs: 0041105D
3E1805020B2818185B220A092D2226, xrefs: 004131D0
Z, xrefs: 00411CC2
Pattern, xrefs: 00413426, 00413894, 00413D02
0D032814, xrefs: 00411BC2
:, xrefs: 00413F34
021B1F15350B3B34, xrefs: 004110DE
313607080B053B0D, xrefs: 00411246
0A2C153613100B23, xrefs: 0041103B
nhZVayAhlupo, xrefs: 004131F2
NOTFaYLcZkIyjt, xrefs: 004111A3
3A121C32031109, xrefs: 00411481
DjLHjJoZkORbhTYDcYCCpW, xrefs: 00410FBA
36301A2B1B, xrefs: 004115C7
LmVQqqlwZWOZWDPtNsNKBqvjLYgANele, xrefs: 0041213B
Global, xrefs: 004132F7
tzIsIIvzhLTCeeCyKctYyqfvvRKARTgUctsgLBMTf, xrefs: 00411FB6
HDcZsuNvMGrihGXXpRxgYCx, xrefs: 0041208E
29232701230A29, xrefs: 00410F98
151A1B01372522243F20210215, xrefs: 00411524
test, xrefs: 00413480, 004138EE, 00413D5C
bdeBZEDvHVZbmbeHdZmpUkP, xrefs: 004112CE
BfulRlhdqVSVlpJEaLpqeS, xrefs: 00411400
QvMdlutFvMYvyjXJrbqZuipkvpwrJMOOrauMfepWfHnD, xrefs: 00412B7A, 00412C32, 00412CEA, 00412DA2, 00412E5A, 00412F12, 00412FCA, 00413082, 0041313A, 0041360A, 00413A78
sNWzXQxgKWvD, xrefs: 00411BE4
35161E37090617193927, xrefs: 004113DE
NCelbYplxEXeI, xrefs: 00413388, 004137F6, 00413C64
261D231927020D0114372403, xrefs: 00411224
yqwevbehwCblObnFJFeJXAr, xrefs: 004114A3
fVhbqCJuESLDv, xrefs: 00411546
spYvNhEytkPSxGPsFwZgDhx, xrefs: 004115E9
9, xrefs: 00411E5F
meRnIrVHSZviFkRcLKcBiVSamrPJYlml, xrefs: 00411268

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 021B1F15350B3B34$0A2C153613100B23$0D032814$151A1B01372522243F20210215$1F0744003A585C501E3906642629480212740A5C4A686138327D7A181039381341102F750B396339555E4F602D174D7C254C357F18040F4F311A411635751F797C$261D231927020D0114372403$29232701230A29$2C2623053C2217330A250A$313607080B053B0D$35161E37090617193927$36301A2B1B$3A121C32031109$3E1805020B2818185B220A092D2226$9$:$BfulRlhdqVSVlpJEaLpqeS$DjLHjJoZkORbhTYDcYCCpW$Global$HDcZsuNvMGrihGXXpRxgYCx$IgnoreCase$JGIfErwnPOeHawxIJAqjbRtdshPYzAMwF$LmVQqqlwZWOZWDPtNsNKBqvjLYgANele$NCelbYplxEXeI$NOTFaYLcZkIyjt$Pattern$QvMdlutFvMYvyjXJrbqZuipkvpwrJMOOrauMfepWfHnD$TAtqaThOGrgRKKISgbUFPHGcPViBhJGjB$Z$bdeBZEDvHVZbmbeHdZmpUkP$fVhbqCJuESLDv$meRnIrVHSZviFkRcLKcBiVSamrPJYlml$nhZVayAhlupo$o$sNWzXQxgKWvD$spYvNhEytkPSxGPsFwZgDhx$test$tzIsIIvzhLTCeeCyKctYyqfvvRKARTgUctsgLBMTf$yqwevbehwCblObnFJFeJXAr
API String ID: 0-3297074786
Opcode ID: 19352ac2a98b4ff5fa779ee4169e8d3ab9ebdd8c5acda09d291b794d1d4f60d9
Instruction ID: a70cd334efc25a1dfd92f50e9d16e65422144a8eb495ac7d8716f5445c488f91
Opcode Fuzzy Hash: 19352ac2a98b4ff5fa779ee4169e8d3ab9ebdd8c5acda09d291b794d1d4f60d9
Instruction Fuzzy Hash: FE63F975910208DFDB14DFA4DD48ADEB7B5FB48304F2081AEE50AB72A0DB745A89CF58

Function 00404F5A Relevance: 25.6, Strings: 20, Instructions: 566COMMON

Download Yara Rule

Strings

2C2623053C2217330A250A, xrefs: 00411181
TAtqaThOGrgRKKISgbUFPHGcPViBhJGjB, xrefs: 00411100
29232701230A29, xrefs: 00410F98
151A1B01372522243F20210215, xrefs: 00411524
JGIfErwnPOeHawxIJAqjbRtdshPYzAMwF, xrefs: 0041105D
bdeBZEDvHVZbmbeHdZmpUkP, xrefs: 004112CE
BfulRlhdqVSVlpJEaLpqeS, xrefs: 00411400
021B1F15350B3B34, xrefs: 004110DE
313607080B053B0D, xrefs: 00411246
0A2C153613100B23, xrefs: 0041103B
NOTFaYLcZkIyjt, xrefs: 004111A3
3A121C32031109, xrefs: 00411481
35161E37090617193927, xrefs: 004113DE
261D231927020D0114372403, xrefs: 00411224
yqwevbehwCblObnFJFeJXAr, xrefs: 004114A3
DjLHjJoZkORbhTYDcYCCpW, xrefs: 00410FBA
36301A2B1B, xrefs: 004115C7
fVhbqCJuESLDv, xrefs: 00411546
spYvNhEytkPSxGPsFwZgDhx, xrefs: 004115E9
meRnIrVHSZviFkRcLKcBiVSamrPJYlml, xrefs: 00411268

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 021B1F15350B3B34$0A2C153613100B23$151A1B01372522243F20210215$261D231927020D0114372403$29232701230A29$2C2623053C2217330A250A$313607080B053B0D$35161E37090617193927$36301A2B1B$3A121C32031109$BfulRlhdqVSVlpJEaLpqeS$DjLHjJoZkORbhTYDcYCCpW$JGIfErwnPOeHawxIJAqjbRtdshPYzAMwF$NOTFaYLcZkIyjt$TAtqaThOGrgRKKISgbUFPHGcPViBhJGjB$bdeBZEDvHVZbmbeHdZmpUkP$fVhbqCJuESLDv$meRnIrVHSZviFkRcLKcBiVSamrPJYlml$spYvNhEytkPSxGPsFwZgDhx$yqwevbehwCblObnFJFeJXAr
API String ID: 0-3794403500
Opcode ID: 538014fd11694ac343fd52401e4fe514e68a75b97526f2944c1fc3fb528cce7e
Instruction ID: 7a4c7e34e97db4d9e4960fe29da8b4ea74c953362efe486c54ba14f2ceb036b8
Opcode Fuzzy Hash: 538014fd11694ac343fd52401e4fe514e68a75b97526f2944c1fc3fb528cce7e
Instruction Fuzzy Hash: 9732F872810109ABDB04DFE4DA94EDEB779FF48304F10856AF506B6164EB34AA49CFA4

Function 00424C00 Relevance: 23.6, Strings: 17, Instructions: 2378COMMON

Download Yara Rule

Strings

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 0042554C, 00426780
SJdQxOoXelngmKgWXFKINzsXqLhAfodhlbJaPaUhoff, xrefs: 004250FA, 00426341
SELECT origin_url, username_value, password_value, length(password_value) FROM logins, xrefs: 00425B1F
ApYjHcKDkxrgdnTXKxrGOln, xrefs: 00426091, 00426D93
SELECT origin_url, username_value, password_value FROM logins, xrefs: 00424EFA
06685A, xrefs: 0042603B, 00426D3D
PvbKtNZihjToShXymqJLyY, xrefs: 00425363, 004258FE, 004265C0, 004272A3
3F6254, xrefs: 00426066, 00426D68
d, xrefs: 00425598
,d@, xrefs: 00426A1D
1F17340A210E35004C5447, xrefs: 0042506E, 004262B5
]@, xrefs: 00425FF6
MISeSqatVBxcabMdIwQeceFZVaHFhuo, xrefs: 004260ED, 00426DEF
37123B182739081C033B01735278, xrefs: 00425338, 004258BB, 00426595, 00427278
311B1F2B3A2D2A28746043, xrefs: 00425099, 004262E0
uazlXMBXLTZchJDHJsSWCUrCJRCchKqS, xrefs: 0042516A, 004263B1
b, xrefs: 00427413

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_423000_RegSvcs.jbxd

Similarity

API ID:
String ID: ,d@$06685A$1F17340A210E35004C5447$311B1F2B3A2D2A28746043$37123B182739081C033B01735278$3F6254$ApYjHcKDkxrgdnTXKxrGOln$MISeSqatVBxcabMdIwQeceFZVaHFhuo$PvbKtNZihjToShXymqJLyY$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$SJdQxOoXelngmKgWXFKINzsXqLhAfodhlbJaPaUhoff$b$d$uazlXMBXLTZchJDHJsSWCUrCJRCchKqS$]@
API String ID: 0-2731078149
Opcode ID: db167675d62f88f5ffc6b36e40afd59cdd6c8a6283327a58a84820de98a320ff
Instruction ID: 128006a2292c6c29fa38eff6aee7c5e362c8978db9cb991c5a054d38903297e7
Opcode Fuzzy Hash: db167675d62f88f5ffc6b36e40afd59cdd6c8a6283327a58a84820de98a320ff
Instruction Fuzzy Hash: B43308B59002189FDB15DF90DD88BDEB7B8BB48304F1081EAE64AB7260DB745B88CF55

Function 00429676 Relevance: 13.3, Strings: 10, Instructions: 778COMMON

Download Yara Rule

Strings

0B1A2B2B01041C6027363C0C, xrefs: 004296AC, 00429A81
24341D230F1D031164023808333632, xrefs: 00429C23
02110401053F2C5C3704322103, xrefs: 0042A073
XeYdBjxzNfdQLLcMFzNSRiNWBDzobFXz, xrefs: 0042A24C
"@, xrefs: 00429E99
23361C2F0B111660031C34, xrefs: 0042A221
VUBgslOXrdlWMoGUKaTetp, xrefs: 0042A09E
C:\\, xrefs: 00429EED
CxGtDarmbJqIdZBWSdfVTwe, xrefs: 00429C45
VWvDLhjoNMESblqjDieqfR, xrefs: 004296CE, 00429AA3

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_423000_RegSvcs.jbxd

Similarity

API ID:
String ID: 02110401053F2C5C3704322103$0B1A2B2B01041C6027363C0C$23361C2F0B111660031C34$24341D230F1D031164023808333632$C:\\$CxGtDarmbJqIdZBWSdfVTwe$VUBgslOXrdlWMoGUKaTetp$VWvDLhjoNMESblqjDieqfR$XeYdBjxzNfdQLLcMFzNSRiNWBDzobFXz$"@
API String ID: 0-2892534026
Opcode ID: 35f0bcb585e8855458f5dc11a63547de8c923b95724958503b800153aff73df7
Instruction ID: ade12f73d69b76d4e596a96bf6f6adcad82a8b97d55b5a4c0a0deec5547e4ac4
Opcode Fuzzy Hash: 35f0bcb585e8855458f5dc11a63547de8c923b95724958503b800153aff73df7
Instruction Fuzzy Hash: 80720875910218DFDB14DFA4DD88BEEB7B5FB48300F1081A9E50AB72A0DB745A89CF58

Function 004109B0 Relevance: 9.0, Strings: 7, Instructions: 280COMMON

Download Yara Rule

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00410ABE
3221243528081539, xrefs: 00410A53
6A101B3D, xrefs: 00410A75
\KeyData.Log, xrefs: 00410C5A
OnjALliaXAHYmtZlTFsrVwezMtnwRCHWM, xrefs: 00410A97
VDdcIFoLczBsp, xrefs: 00410ACC
DC-KL, xrefs: 00410BD7

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 3221243528081539$6A101B3D$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$DC-KL$OnjALliaXAHYmtZlTFsrVwezMtnwRCHWM$VDdcIFoLczBsp$\KeyData.Log
API String ID: 0-1769003403
Opcode ID: bce037a9f0dc8b7b996743998d08d20b57bf272fad26c9a30eda66b23785824c
Instruction ID: 3b857195936b6f0452ac6246f9f57d52148544f1593039b1020faae46c327d20
Opcode Fuzzy Hash: bce037a9f0dc8b7b996743998d08d20b57bf272fad26c9a30eda66b23785824c
Instruction Fuzzy Hash: 79B11F75910208EBDB04DFE4D948ADEBB75FF48304F10812AF512B72A4DB749A49CF98

Function 004295B0 Relevance: 5.5, Strings: 4, Instructions: 536COMMON

Download Yara Rule

Strings

0B1A2B2B01041C6027363C0C, xrefs: 004296AC, 00429A81
24341D230F1D031164023808333632, xrefs: 00429C23
CxGtDarmbJqIdZBWSdfVTwe, xrefs: 00429C45
VWvDLhjoNMESblqjDieqfR, xrefs: 004296CE, 00429AA3

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Offset: 00423000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_423000_RegSvcs.jbxd

Similarity

API ID:
String ID: 0B1A2B2B01041C6027363C0C$24341D230F1D031164023808333632$CxGtDarmbJqIdZBWSdfVTwe$VWvDLhjoNMESblqjDieqfR
API String ID: 0-1071388976
Opcode ID: 6331ae798324de33c755cfebba043f994fabc0c5a71aaac2b902bf564efbd8ea
Instruction ID: 7cd4656e141a87a8565597a83e124e14497f9a8116a6a93337b58a9f0dae9342
Opcode Fuzzy Hash: 6331ae798324de33c755cfebba043f994fabc0c5a71aaac2b902bf564efbd8ea
Instruction Fuzzy Hash: 16321A75910218DFDB14DFA4DD88BEDBBB4FB48300F1081AAE50AB7260DB745A89CF58

Function 00404F9E Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

*, xrefs: 00411E4C
Z, xrefs: 00411CC2
0D032814, xrefs: 00411BC2
sNWzXQxgKWvD, xrefs: 00411BE4

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: *$0D032814$Z$sNWzXQxgKWvD
API String ID: 0-1610418762
Opcode ID: 11dc78d94f29e74d403f79c6d8bcfd6c20d7c0eb588a4cb32e23c81108edeaca
Instruction ID: 50b81e2e21558a0beef01c7619f4cdb654cac3239bffa51bb46109a3d6ce8be1
Opcode Fuzzy Hash: 11dc78d94f29e74d403f79c6d8bcfd6c20d7c0eb588a4cb32e23c81108edeaca
Instruction Fuzzy Hash: 3802FB75910208EBDB14DFA4DE48BDE7BB5FB44304F1081ADE606B72A0DB785A89CF58

Function 004103C0 Relevance: 5.4, Strings: 4, Instructions: 361COMMON

Download Yara Rule

Strings

GYdyHGhvzljaOzrVoDBtdW, xrefs: 004107FA
082525243B201E2C112C295B79, xrefs: 00410789
675A220B0B212638232B330B27, xrefs: 004107AB
CSfimkbQmChtgEtTpmblH, xrefs: 004107CD

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 082525243B201E2C112C295B79$675A220B0B212638232B330B27$CSfimkbQmChtgEtTpmblH$GYdyHGhvzljaOzrVoDBtdW
API String ID: 0-3060382303
Opcode ID: 4fdfb6ba346a071272d9956f98cc535811830c5e5b05775871cb840aec4bfebe
Instruction ID: 6f0fe2400778baf41e8a62819136e341de13878eb0ed5778f166bbb1f8ed7586
Opcode Fuzzy Hash: 4fdfb6ba346a071272d9956f98cc535811830c5e5b05775871cb840aec4bfebe
Instruction Fuzzy Hash: 7FF1FB75900218DFDB14DFA4D948BDEBBB5FF48304F2081AAE50AB72A0DB745A85CF64

Function 0040A1BA Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

8W@, xrefs: 0040A1D7

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: 8W@
API String ID: 0-1444931385
Opcode ID: 181c207aea9960324c2616da4bc56b481ddfd633cdf9da9a986a23180eaf99d2
Instruction ID: 8c2685235f1debe0df423363edcbcf651c9a042992f14e71ae87008f98733eea
Opcode Fuzzy Hash: 181c207aea9960324c2616da4bc56b481ddfd633cdf9da9a986a23180eaf99d2
Instruction Fuzzy Hash: 2BD0922018E3C15FC713A3B00C244243FB05D0324431E84EBC084DE1E3DA6C4819C377

Function 00403EA4 Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203754b0a05b75e4a2c6e18a840a0bd5d1af2d38b688600a13c9724f097ecb42
Instruction ID: 98012d1a309f98b30dd836f0da599d6ee4696d2c1deae08211ba8738e9af24bd
Opcode Fuzzy Hash: 203754b0a05b75e4a2c6e18a840a0bd5d1af2d38b688600a13c9724f097ecb42
Instruction Fuzzy Hash: EF5155A280E3C18FC3034BB49CBA79B7F719E2326474F55D7C5C1CA2A3E118985AD726

Function 00405B48 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2729076960.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_401000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5d9d91db5966c244701a56f94937a208d687297fc780b0827d65429f0901f7
Instruction ID: 7552edef0193307111a67a984dc8262be4a476733d65a50f2979006d33fec79d
Opcode Fuzzy Hash: 9d5d9d91db5966c244701a56f94937a208d687297fc780b0827d65429f0901f7
Instruction Fuzzy Hash: 78B012243984019AD300AB684C0172735E0D6043C1360CD33E051F22D0CA38FD004D6D

Analysis Process: lEIbxztPTKpOpY.exePID: 5812, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	219
Total number of Limit Nodes:	14

Executed Functions

Function 0126D4C9 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0126D556
GetCurrentThread.KERNEL32 ref: 0126D593
GetCurrentProcess.KERNEL32 ref: 0126D5D0
GetCurrentThreadId.KERNEL32 ref: 0126D629

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 487e5fdd1e94e3748bced8e392f57e38cf4b3b312918f5d04bd7b978084fcc0e
Instruction ID: d052ae24740f30a507ff1294e73da93a80b39b932d2ab1f07814348dc9f1eab0
Opcode Fuzzy Hash: 487e5fdd1e94e3748bced8e392f57e38cf4b3b312918f5d04bd7b978084fcc0e
Instruction Fuzzy Hash: F75146B0A0034A8FEB14DFAAE548B9EBBF5BF88314F248459E409A7290D7745984CB65

Function 0126D4D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0126D556
GetCurrentThread.KERNEL32 ref: 0126D593
GetCurrentProcess.KERNEL32 ref: 0126D5D0
GetCurrentThreadId.KERNEL32 ref: 0126D629

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 553b13e6858e43ba57e8e3aeeb97f9f11ca337b9c612db3b57949aa75a452bfa
Instruction ID: 60a7c99a12ec2eac9bbc7570b85483c30696105b537eec0c770ad45ca62ab04f
Opcode Fuzzy Hash: 553b13e6858e43ba57e8e3aeeb97f9f11ca337b9c612db3b57949aa75a452bfa
Instruction Fuzzy Hash: 565157B0E0034A8FEB14DFAAD548B9EBBF5BF88314F248459E409A7290DB745984CF65

Function 05123420 Relevance: 2.0, APIs: 1, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1635580856.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5120000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878b738cbe277993356e3bb9fb11d21f3285d70b9785eb4c76a854a63e9c088b
Instruction ID: 7a3c392a735fc9adb3e59c7bf5ada079804072d6cfc79d1d632241bf444726ee
Opcode Fuzzy Hash: 878b738cbe277993356e3bb9fb11d21f3285d70b9785eb4c76a854a63e9c088b
Instruction Fuzzy Hash: 7322B274E04225CFCB28DB98D489ABEB7B2FB84310F258C56D5269B395C73CD8A1CB51

Function 0126AE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0126B09E

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 91341c8a652d697f5e131c25a1d3be6e0d0cc33018764d6a72f0eba30e40df4f
Instruction ID: 63224d429156ce6d7618096a81de8173a6e2a15272a01aad7350cd7ad2a28d65
Opcode Fuzzy Hash: 91341c8a652d697f5e131c25a1d3be6e0d0cc33018764d6a72f0eba30e40df4f
Instruction Fuzzy Hash: 0F714870A10B068FE724DF2AD45575ABBF5FF88300F00892DD59AD7A80D775E845CB91

Function 051218E4 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05121A02

Memory Dump Source

Source File: 0000000A.00000002.1635580856.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5120000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cb5af1dadba482ddef452add17e9e7a34ecf1fac5b776d572e5931c57731fafd
Instruction ID: 8b317e2381c52d573a00655c1914d85e0cecd327dc24e822599377b54bef8fcf
Opcode Fuzzy Hash: cb5af1dadba482ddef452add17e9e7a34ecf1fac5b776d572e5931c57731fafd
Instruction Fuzzy Hash: 3351C2B1D00359EFDB14CF99C884ADEBBB6FF48310F24812AE819AB250D7719945CF90

Function 051218F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05121A02

Memory Dump Source

Source File: 0000000A.00000002.1635580856.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5120000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 19fa389c4248d09fd225c8ab9c8c4027a0f10a13417b4666d7477db10e3fc32f
Instruction ID: 20c05ecba029e45b4af1ce3eed147d3097e1ab0b833e497a9b1986d3577fb086
Opcode Fuzzy Hash: 19fa389c4248d09fd225c8ab9c8c4027a0f10a13417b4666d7477db10e3fc32f
Instruction Fuzzy Hash: 1241C0B1D00359EFDB14CF99C884ADEBBB6BF88310F24812AE819AB250D7759945CF90

Function 012644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012659C9

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6191207088879c1bb1b40e8a3ac29c140dbeda42a1a460eec7958c5e9a122fe3
Instruction ID: 1243bfa76b9aabab494f1cc99bd82b90048823adf5c85fd3ed60f4f52ed90542
Opcode Fuzzy Hash: 6191207088879c1bb1b40e8a3ac29c140dbeda42a1a460eec7958c5e9a122fe3
Instruction Fuzzy Hash: AA41E271C1071DCFEB24DFAAC88478EBBB5BF89704F20815AD508AB251DB715985CF90

Function 0126590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012659C9

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1c4eb20661a0aa7197eb257216147d2f735815927421879134109c8d91021bc7
Instruction ID: c64d492ef93320925c70bf95bac97c3b470b4d26f64b1c535d23991f9c5adec4
Opcode Fuzzy Hash: 1c4eb20661a0aa7197eb257216147d2f735815927421879134109c8d91021bc7
Instruction Fuzzy Hash: 9A41D271C0071ACFEB24DFAAC8847CEBBB5BF89714F20816AD408AB251DB755945CF90

Function 05124050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05124111

Memory Dump Source

Source File: 0000000A.00000002.1635580856.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5120000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7391b2b8cb6797f165ac00968de358f72cd36b12811273d4221b81acd6b4468e
Instruction ID: dac564b17b83ab91e0719290ea442040d5e9001286fafdf819ee8e7747666c47
Opcode Fuzzy Hash: 7391b2b8cb6797f165ac00968de358f72cd36b12811273d4221b81acd6b4468e
Instruction Fuzzy Hash: CC413CB5A00319CFCB14CF99C848AAABBF6FF88314F24C459D519AB321D775A851CFA0

Function 0126D719 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0126D7A7

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3e6224eb9f6146482b31709dca448f9262c0fe93e4ddd90c4893e5cb91f30e3d
Instruction ID: 8901f4d1f19d69e3245e389787a30f50769f8f2ac2c588e95d1059a9968e76d0
Opcode Fuzzy Hash: 3e6224eb9f6146482b31709dca448f9262c0fe93e4ddd90c4893e5cb91f30e3d
Instruction Fuzzy Hash: 4D21E3B590034D9FDB10CFAAD884ADEBBF9EB48310F14801AE954A3251D379A950CF65

Function 0126D720 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0126D7A7

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1ebe1b6fc356c58ca1a5e62835901213fbb4a4dc5ddf879ff79bf1c05f5a4d6f
Instruction ID: 078edbca366daf3c5411f8d02d586159327a560e263476bfcf7fe7a778dc6844
Opcode Fuzzy Hash: 1ebe1b6fc356c58ca1a5e62835901213fbb4a4dc5ddf879ff79bf1c05f5a4d6f
Instruction Fuzzy Hash: C721E3B590024D9FDB10CFAAD884ADEBBF9EB48310F14801AE954A3250C379A950CF65

Function 07307CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07307D33

Memory Dump Source

Source File: 0000000A.00000002.1637024747.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7300000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 001b1117e134e0b4416dfc155010a53d0e51449a78c209612801a427794c2cfe
Instruction ID: cdb1ee3b66c9b99640f0f1126feaf8694d8d7ad210a512d03cbf89c694700f1e
Opcode Fuzzy Hash: 001b1117e134e0b4416dfc155010a53d0e51449a78c209612801a427794c2cfe
Instruction Fuzzy Hash: 212106B5D002499FDB10DF9AC484BDEFBF5FB48310F10842AE458A7650C378A545CFA1

Function 07307CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07307D33

Memory Dump Source

Source File: 0000000A.00000002.1637024747.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7300000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d56d9e9e9503602774e6c52e0aca1a8c21f62593e9bfdd0dd797727c1cf36f7d
Instruction ID: 0ee6f7c7622b80bef0fab7b16ffc7283fedf4cd5b46ce09e63b8e3fed790f2b7
Opcode Fuzzy Hash: d56d9e9e9503602774e6c52e0aca1a8c21f62593e9bfdd0dd797727c1cf36f7d
Instruction Fuzzy Hash: 4F2114B5D0024A9FDB10DFAAC884BDEFBF4FB48320F108429E858A7251D378A544CFA1

Function 0126B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0126B09E

Memory Dump Source

Source File: 0000000A.00000002.1630017900.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1260000_lEIbxztPTKpOpY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1012aa6b10f0eb928bfd55004108428d99ec6f08075aa0644fbae4f7bcc7f971
Instruction ID: b69ef584cd816e9f297ad31e3ef744fbc48541566414edfc536338e04965151e
Opcode Fuzzy Hash: 1012aa6b10f0eb928bfd55004108428d99ec6f08075aa0644fbae4f7bcc7f971
Instruction Fuzzy Hash: 051110B5D0034A8FDB20DF9AC444BDEFBF9AB88320F10841AD928A7240D379A545CFA1

Function 0107D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629614625.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_107d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc57a382c247563b2c4dbd01527c7fca66bee0926e5c97f026451bb3fe93c101
Instruction ID: 807c579b925dfb8e261065fd011b2043b439f6d75832a43c9365a2f8ac96226d
Opcode Fuzzy Hash: bc57a382c247563b2c4dbd01527c7fca66bee0926e5c97f026451bb3fe93c101
Instruction Fuzzy Hash: ED213671904240DFDB05DF54D9C0B2ABFA2FFC4328F20C2A9D8850B246C336D456CBA2

Function 0107D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629614625.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_107d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ed762d70b57f778489b2baf9164c18f44a876f2bca9ac4e0a4ac1692d6460d
Instruction ID: 9ecec3b99f01d43d0f3b8d9c1fb2cf8710f33a10de0d61e9d1fb9bcd6adda006
Opcode Fuzzy Hash: 50ed762d70b57f778489b2baf9164c18f44a876f2bca9ac4e0a4ac1692d6460d
Instruction Fuzzy Hash: 292133B2A04304DFDB01DF44D9C4B5ABFA5FF88324F20C1A9E9490B246C736E446CBA2

Function 0119D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629728538.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_119d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a375e838c311600b34b5b0ddd11968c4d895a00143ee0a657d0f14ea14df13da
Instruction ID: 29b53de98eb1bdc3d184a31ab32ca96796a026d418d907072d63823a3a97a8a8
Opcode Fuzzy Hash: a375e838c311600b34b5b0ddd11968c4d895a00143ee0a657d0f14ea14df13da
Instruction Fuzzy Hash: 83212275604300DFDF19DF64E884B16BB61FB84354F28C66DD84A0B286C33AD407CB62

Function 0119D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629728538.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_119d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae1b5647ed1e526871b0eb76fb4e1ee210fc6f40cd926ceaaf521b788554221
Instruction ID: 851c98834bfa1abdd4842d72a03ef11fa832fdb00d3185712221d631598ab47b
Opcode Fuzzy Hash: 5ae1b5647ed1e526871b0eb76fb4e1ee210fc6f40cd926ceaaf521b788554221
Instruction Fuzzy Hash: 98213775604300DFDF09DF94E9C0B15BB61FB84324F20C5ADE8094B282C336D406CB62

Function 0107D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629614625.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_107d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 4b731966d1469d5ba8761bc22aec1bedd030c8323d4d0b3f675d0f3c520e7823
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: A011DFB6904240DFCB02CF44D5C0B56BFB2FB84324F24C2A9D8490B257C33AE456CBA1

Function 0107D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629614625.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_107d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: c2c445971c831b2d3dc2a8d8b3b74597e2136c81c3b83a44b91c87836d577ba9
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: C711AF76904280CFCB16CF54D5C4B16BFB2FB84324F24C6A9D8890B657C33AD456CBA1

Function 0119D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629728538.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_119d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: 0dcf09ba909d43c67604fa3189afa34cdb19915b315fc7c06056483bb6525273
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 0511BB75504280DFCF06CF54D5C0B15BBA2FB84224F24C6ADD8494B296C33AD40ACB62

Function 0119D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1629728538.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_119d000_lEIbxztPTKpOpY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: b149c6dd73f490646248b0056f6f5c78f1150b3c5dbfadb2dd8f3e724a9b2cf2
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 2C11BE75504280CFDF16CF58E5C4B15BB62FB44314F28C6A9D8494B656C33AD40ACB61

Analysis Process: RegSvcs.exePID: 7468, Parent PID: 5812COMMON

Execution Graph

Execution Coverage:	14.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.9%
Total number of Nodes:	39
Total number of Limit Nodes:	2

Executed Functions

Function 0043C410 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 236
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000), ref: 0043C4D7
InternetOpenUrlA.WININET(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 0043C525
InternetReadFile.WININET(?,00000000), ref: 0043C5D2

Strings

(1@, xrefs: 0043C508, 0043C531, 0043C535
(1@, xrefs: 0043C432

Memory Dump Source

Source File: 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2729064027.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2729064027.0000000000414000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegSvcs.jbxd

Similarity

API ID: Internet$Open$FileRead
String ID: (1@$(1@
API String ID: 72386350-1600409047
Opcode ID: a030e437ac2574167e16383b519864d1a9096562f6ba43c6aa2f0c1e38c30136
Instruction ID: 1fdab3fefa9a224a6a83f1959033e736e66ccc5207a3da93636885c7a9367e68
Opcode Fuzzy Hash: a030e437ac2574167e16383b519864d1a9096562f6ba43c6aa2f0c1e38c30136
Instruction Fuzzy Hash: 37810C75900209AFDB04EBE4DD85EEEBBBDEF48704F10811AF505B72A0DA74A945CF64

Function 0043EC50 Relevance: 27.2, APIs: 1, Strings: 16, Instructions: 1724
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\@, xrefs: 0043F81F
@, xrefs: 0043F9A3
@, xrefs: 0043ECBC
$@, xrefs: 0043F278
@, xrefs: 0043FB27
@@, xrefs: 0043EDEC
@@, xrefs: 0044057C
#, xrefs: 00440553
(@, xrefs: 0043F20F
L@, xrefs: 0043FBA4
]@, xrefs: 004405E8
@, xrefs: 0043ECDE
P@, xrefs: 0043F580
@@, xrefs: 0044044D
p@, xrefs: 0043EF07
l@, xrefs: 0043F393

Memory Dump Source

Source File: 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2729064027.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2729064027.0000000000414000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: @$ @$#$$@$(@$@@$@@$@@$L@$P@$\@$l@$p@$]@$@$@
API String ID: 0-3740098581
Opcode ID: 86b0310398114f7b4f7ed7790d3da216054dcfb360953983eb2a7d71c1c60fa3
Instruction ID: 149b71405c4009c6838ae3a467819799a54bcef0be8259aa488444f6d2e44765
Opcode Fuzzy Hash: 86b0310398114f7b4f7ed7790d3da216054dcfb360953983eb2a7d71c1c60fa3
Instruction Fuzzy Hash: 73032875D00219DBDB14DFE0DD88AEEB7B8BF48304F1081AAE50AB7264EB745A49CF54

Function 0043C700 Relevance: 15.2, APIs: 1, Strings: 8, Instructions: 1669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@`@, xrefs: 0043CD62
h`@, xrefs: 0043C96F
81@, xrefs: 0043C729
]@, xrefs: 0043DF0E
@`@, xrefs: 0043CBEF
h`@, xrefs: 0043CD98
@`@, xrefs: 0043C939
h`@, xrefs: 0043CC25

Memory Dump Source

Source File: 00000010.00000002.2729064027.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2729064027.0000000000400000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.2729064027.0000000000414000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 81@$@`@$@`@$@`@$h`@$h`@$h`@$]@
API String ID: 0-3705887567
Opcode ID: d98275519c7b0597f14d7d3f5e39eee759c2e1aee45e0780821537b3b3f0d264
Instruction ID: 05db9d5ddddb02a264b12fe29650fbfe7c870a450be2dbd8404fdcfd0951da13
Opcode Fuzzy Hash: d98275519c7b0597f14d7d3f5e39eee759c2e1aee45e0780821537b3b3f0d264
Instruction Fuzzy Hash: 9AF20771D10208DBDB14DFE0DD98ADEBBB9BF48304F10816AE506BB264EB746A49CF54

Analysis Process: fretsaw.exePID: 7732, Parent PID: 4084COMMON

Executed Functions

Function 024F1340 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1461a7e88fb9147a9406fe83e1c077a7d5afaeddb1ecb03b8218f9de6c0e07cb
Instruction ID: 3aff8e5726a2f35a1562a7dbc29528713912ae284c86dedd505a5ca3426aa4af
Opcode Fuzzy Hash: 1461a7e88fb9147a9406fe83e1c077a7d5afaeddb1ecb03b8218f9de6c0e07cb
Instruction Fuzzy Hash: BC325F34B00205CFDB54EF74D890B6A77A6BBC9345B14992DD50A8B398EB35EC82CF90

Function 024F0BC0 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96439da13a8614465af521c24d8a94dbd59206bcd8d7fef8dcc21eec10df2b2
Instruction ID: 36d3851282f438858fbcd7064470a2317f865d99fa4d832d4d10d8d4697549c9
Opcode Fuzzy Hash: e96439da13a8614465af521c24d8a94dbd59206bcd8d7fef8dcc21eec10df2b2
Instruction Fuzzy Hash: 2E818D35A00345CFDB1A9BB0C81879EBBF2BFC9710F15C56AD506973A9DB71A885CB80

Function 024F1230 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f41fb73edcc3c804b53e4591bea20391d9d0529a067122a48422c42d51a8bd
Instruction ID: 57ea35c1e5e52b52bafa45d7462eb59f76652dd19c2bb30c38cfb5ce266da225
Opcode Fuzzy Hash: 13f41fb73edcc3c804b53e4591bea20391d9d0529a067122a48422c42d51a8bd
Instruction Fuzzy Hash: 2F311634701210CFCB99AB78D45892D3BF6AF8AA1636504E9E506CF371DA36DC42CB80

Function 024F1240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7fbaf8898f4bf617865b2716ff92b8bcc83561d52714e2df1057b0c3579efa
Instruction ID: 1170e99ecba72830e479735b423b138cbfad9aab07ce08196578793a7f5f7682
Opcode Fuzzy Hash: af7fbaf8898f4bf617865b2716ff92b8bcc83561d52714e2df1057b0c3579efa
Instruction Fuzzy Hash: 1521E335701210CFCB98AB79C458A2D77E6AF89A1636108B8E506CF7B1DF36DC42CB80

Function 024F1C00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca42949cdc807e768ad11e99b19a7a4eb17682933a616d9cc0c6f604024f726
Instruction ID: f33f3591f1ed4eccf26661f31ec32f267003bc87f3aff9cfd3d5fa965e481297
Opcode Fuzzy Hash: fca42949cdc807e768ad11e99b19a7a4eb17682933a616d9cc0c6f604024f726
Instruction Fuzzy Hash: 1F11CE36E002459FCB41EFB4C8948DABFF1FF8A20071185AAE519DB225E7319906CFA0

Function 024F1C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d635c7f8914d8d5ffabe076068fe6095038293e48a691997c4f4942fbbbe846d
Instruction ID: 4bd08b368be5eb4f52fe3d1c3721c7fd5e70d6ab02c15bdd9f0b06560a7e11c5
Opcode Fuzzy Hash: d635c7f8914d8d5ffabe076068fe6095038293e48a691997c4f4942fbbbe846d
Instruction Fuzzy Hash: 24019E36E002059FCB40EFB5D88489FFBF5FF88300710866AE51997224E731A955CFA0

Function 024F0880 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd14b35e057c6621c86f6f0149a4980b8fd13e42b9a9ded1abc278522e792c57
Instruction ID: 06ee65db864648542d92223c44aa75365524a61ed6b5ef8b2cab77715755200c
Opcode Fuzzy Hash: fd14b35e057c6621c86f6f0149a4980b8fd13e42b9a9ded1abc278522e792c57
Instruction Fuzzy Hash: 91F03060A0F3D5AFCB429BB8AD645DFBFB4AD87204B0904EBE4C5D7163E1244916C7E2

Function 024F0F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eeb195a7e6dd90eaa618399316a7ebbd94d2e6459b7c4f7a8eb7805392f852d
Instruction ID: 7cea004af0de939480d9f4c803f6b2bef9f995f9747fcfda9eb0aaefa26652ac
Opcode Fuzzy Hash: 7eeb195a7e6dd90eaa618399316a7ebbd94d2e6459b7c4f7a8eb7805392f852d
Instruction Fuzzy Hash: 75F01C75900345CFEB15EB74C55C7AEBBB0BB88705F250859D50AAB360CBB48884CB61

Function 024F1AE0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9e52fb74995ae6761692383546cb3afada5d62775971c60fec20092697875a
Instruction ID: 9d01fcbb2fa7074c141a688969c786655a6e37d9852a9b0187aac0ae39e582fc
Opcode Fuzzy Hash: bb9e52fb74995ae6761692383546cb3afada5d62775971c60fec20092697875a
Instruction Fuzzy Hash: 8FD01235710214DBC710EB69E949A863778AB49611F504095E609CB394EB71D814CBD1

Function 024F08A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1852886645.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_24f0000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb401bea38a7b569fe6db4a5bcd4dc11f88d29afede347fff3643f3a01d0d79
Instruction ID: 3644df6298a1eaaf5682d37c3dbeea8a3e03e60f63fa9a6e759735d1ea60556d
Opcode Fuzzy Hash: 1eb401bea38a7b569fe6db4a5bcd4dc11f88d29afede347fff3643f3a01d0d79
Instruction Fuzzy Hash: 59D067B5D01219AF8B80EFB999052DEBBF8FE49250B104576D919E3205E6705A10CBD1

Analysis Process: fretsaw.exePID: 7924, Parent PID: 4084COMMON

Executed Functions

Function 00961340 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500f6a8355b488e5bea58bc11d4357635b3345cdd3e2461ee65ad211f5d74df8
Instruction ID: 9189b1fa16c761074e3220778b6e7c8f8b50e0349fb611ae8ca9752ae0c2bfc4
Opcode Fuzzy Hash: 500f6a8355b488e5bea58bc11d4357635b3345cdd3e2461ee65ad211f5d74df8
Instruction Fuzzy Hash: E9226D34B15206CFDB14EF74D89066A77BBBBC8345B248929C5168B398DB35EC86CF90

Function 00960CE5 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8284e11b52eed380422e627d784c5ad967d3c40de2b8d391f0b3c6ffdb31c3
Instruction ID: 7472dfb694159b0e9547ec8218171aba05e01e755d7db600bc536f9ad717c5a7
Opcode Fuzzy Hash: fe8284e11b52eed380422e627d784c5ad967d3c40de2b8d391f0b3c6ffdb31c3
Instruction Fuzzy Hash: CA717F35B10305CFCB269BB0C4586AEBBF6AFC8300F15C569D416973A4DB75AC85DB80

Function 0096123D Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82ecd3b8db400d25a9fcf24412f6934c520b4b39019c46c47a00493666b3dae
Instruction ID: 163432d18bc8b0eb623d6c93a5addd3b999d4f54237884ba5fa5f7c9f3d4494a
Opcode Fuzzy Hash: e82ecd3b8db400d25a9fcf24412f6934c520b4b39019c46c47a00493666b3dae
Instruction Fuzzy Hash: E621F0347412108FCB58AB79C458A2D77A6AF89A1636109B8E406CF7B1DA36DC42CB80

Function 00961240 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a1a10125e57e01c6304acfefe1b4d1d3cb7881b4399b404476d94d5b9ead71
Instruction ID: 5186afeafc25f7ad14b0449c81c5582255f3cd7d248fa52dbb923bea352ddb64
Opcode Fuzzy Hash: 40a1a10125e57e01c6304acfefe1b4d1d3cb7881b4399b404476d94d5b9ead71
Instruction Fuzzy Hash: 1721D235701210CFCB58AB79C458A2D77EAAF89A1636108B8E506CF7B1DA36DC42CB80

Function 00961AE0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8209154b09d7fa77b235c737b57ca848b8b9696fb663360a9ad0e614193f00
Instruction ID: 1e32fd5aff08f772889d347338c56065e7889cf575a89c47ecadf373425b4f5b
Opcode Fuzzy Hash: 6d8209154b09d7fa77b235c737b57ca848b8b9696fb663360a9ad0e614193f00
Instruction Fuzzy Hash: F611E631F103089FC705EB75A850B9D7BB6AFC9300F1080A9C505DB398DE349D06CB91

Function 00961C09 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbeeacc882b98f8e88565a2f23f99dee8be8ab721def2b808b07c1c03a3b449
Instruction ID: f389193db6987b7c4e0e3840505ad563f2c8b1e62b772345e847f3250cd57a2a
Opcode Fuzzy Hash: dfbeeacc882b98f8e88565a2f23f99dee8be8ab721def2b808b07c1c03a3b449
Instruction Fuzzy Hash: 34118E35E002459FCB00EFB4D8448AEFBB5EF88200710866AE515DB225E7709909CF90

Function 00961C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a7ac44336e21c7f4531919b08a027d9ea794921c4c6af304c0ed30e4c809a1
Instruction ID: 5872bd8491b40d6d302a076ba79701f0547f171379d4eba967ebae1298e4e0f6
Opcode Fuzzy Hash: e2a7ac44336e21c7f4531919b08a027d9ea794921c4c6af304c0ed30e4c809a1
Instruction Fuzzy Hash: 98018035E002059FCB40EFB4D84489AFBB5FF88200710856AE5159B224EB70A909CF90

Function 00960F9D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193dd4ba6f6938f41a5d2c78b7120abaf57fe2e4cdb3c7b71c30cabfce0e2fab
Instruction ID: 3b11238a24fcee4baa9473625918293ac15bb6b6eea70144d17b196fb2260b52
Opcode Fuzzy Hash: 193dd4ba6f6938f41a5d2c78b7120abaf57fe2e4cdb3c7b71c30cabfce0e2fab
Instruction Fuzzy Hash: 61F03075A04345CFDB14DB74C45C7AD7BF0BB48704F290859D402AB3A0DB748C84CB50

Function 00961AD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0c67fdb62253a281b618ca4164a3af8a12a1de74db4d039ff1e41da9683687
Instruction ID: a2b0b659fcc0475164960c674659b3556add2b314fa8ff7f1c927923f3437cc4
Opcode Fuzzy Hash: 0d0c67fdb62253a281b618ca4164a3af8a12a1de74db4d039ff1e41da9683687
Instruction Fuzzy Hash: 50E02635B542108FC310DB38AC49DC93F789F08301B1040EDE404CB3A2D661CC04CBD1

Function 00961B68 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53ad5b7fef785dba59fe752856b09db7d71fb6b6757bf588703c8574a9cb921
Instruction ID: 7a00745445d3b8dd536ba50a9ed5b8273ea1b28b13d8f1bd07726f8fc66787c9
Opcode Fuzzy Hash: d53ad5b7fef785dba59fe752856b09db7d71fb6b6757bf588703c8574a9cb921
Instruction Fuzzy Hash: 1FE0C2312103189BC705B7B9A06079933DEABC4611B004478D5058B38CEF205D4907D5

Function 009608A5 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81edad88e5c093dbde32b57de5f58f51d47a73fcc820ed0911303a3be8edd35
Instruction ID: 81dfcb4a52ae31890d6dacc7b4f1df5831486442094f032649bad155295da189
Opcode Fuzzy Hash: e81edad88e5c093dbde32b57de5f58f51d47a73fcc820ed0911303a3be8edd35
Instruction Fuzzy Hash: F9E0EC75E45129AF8B40DBB859055EEBBF0BE48350B10457AD80AE3241E2744A11CFD1

Function 009608A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1932027186.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_960000_fretsaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1ba9b9d629900cc39b7d9b2761f360d910e48ca858a23e8307d0fc50306f28
Instruction ID: 338463cefde2a8f58a9844b9f4745accee0a3b471bc43560ab1bb85dabaf6f5e
Opcode Fuzzy Hash: fc1ba9b9d629900cc39b7d9b2761f360d910e48ca858a23e8307d0fc50306f28
Instruction Fuzzy Hash: 92D017B1E01219AF8B40EFB899051DEBBF8FE08250B104576D909E3200E2704A10CBD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fretsaw.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lEIbxztPTKpOpY.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\QHa07500

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24owcl2c.zph.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c12e13jh.ooi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egxry0tt.m0v.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eogkb02z.5ao.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guip01pu.5t4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syzwyslv.bay.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_torplt2j.obk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcwu3dh4.tfg.ps1

Windows Analysis Report
PO.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre