Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4qOTcmSTSq.exe

Overview

General Information

Sample name:4qOTcmSTSq.exe
renamed because original name is a hash value
Original sample name:2062623f5b2697dd4afab644624bbcba.exe
Analysis ID:1580858
MD5:2062623f5b2697dd4afab644624bbcba
SHA1:64f39311b47432fd60310335ed1d1533a4bc58f0
SHA256:52193dd36ef4dc531beff1fd5330283ddae1d37137abd9ac7ecbe4719dda57c4
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Deletes itself after installation
Detected VMProtect packer
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for available system drives (often done to infect USB drives)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Entry point lies outside standard sections
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Opens a port and listens for incoming connection (possibly a backdoor)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 4qOTcmSTSq.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\4qOTcmSTSq.exe" MD5: 2062623F5B2697DD4AFAB644624BBCBA)
    • 4qOTcmSTSq.exe (PID: 7396 cmdline: "C:\ \4qOTcmSTSq.exe" 7312 "C:\Users\user\Desktop\4qOTcmSTSq.exe" MD5: 2062623F5B2697DD4AFAB644624BBCBA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious Malware Callback Communication
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 103.8.70.183, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\ \4qOTcmSTSq.exe, Initiated: true, ProcessId: 7396, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 4qOTcmSTSq.exeAvira: detected
Antivirus detection for dropped file
Source: C:\ \4qOTcmSTSq.exeAvira: detection malicious, Label: HEUR/AGEN.1332402
Multi AV Scanner detection for dropped file
Source: C:\ \4qOTcmSTSq.exeReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: 4qOTcmSTSq.exeVirustotal: Detection: 43%Perma Link
Source: 4qOTcmSTSq.exeReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\ \4qOTcmSTSq.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: 4qOTcmSTSq.exeJoe Sandbox ML: detected
Source: C:\ \4qOTcmSTSq.exeSocket bind: port: 49730Jump to behavior
Source: C:\ \4qOTcmSTSq.exeSocket bind: port: 49763Jump to behavior
Source: 4qOTcmSTSq.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: z:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: x:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: v:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: t:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: r:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: p:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: n:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: l:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: j:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: h:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: f:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: b:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: `:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: ^:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: y:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: w:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: u:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: s:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: q:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: o:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: m:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: k:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: i:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: g:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: e:Jump to behavior
Source: C:\ \4qOTcmSTSq.exeFile opened: c:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: _:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: ]:Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile opened: [:Jump to behavior

Networking

barindex
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7777
Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 7777
Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 7777
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 103.8.70.183:7777
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 103.192.209.66:11493
Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:14:9 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:15:9 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:16:6 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:14:9 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:15:9 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: global trafficHTTP traffic detected: GET /wang/9wb-JLCMX.txt HTTP/1.1Content-Type: text/html, */*Content-Length: 0Date: Thu, 26 Dec 2024 11:16:6 GMTHost: lb.luob727sgdsg.topUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Source: global trafficDNS traffic detected: DNS query: lb.luob727sgdsg.top
Source: global trafficDNS traffic detected: DNS query: dw507scp1q.dw507scp1q.top
Source: global trafficDNS traffic detected: DNS query: crt.trust-provider.cn
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906569619.000000000449C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1905087731.00000000093FD000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906277482.000000000449B000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1904986353.00000000093F8000.00000004.00000020.00020000.00000000.sdmp, 8AB1ABABF0945E38D11565C49B5119C1.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907288900.00000000094C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.000000000949C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: D360CDF54BD6ABBBD850E70454AE4E240.1.drString found in binary or memory: http://crt.trust-provider.cn/TrustAsiaRSADVTLSCAG3.crt
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2943298118.0000000004393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.trust-provider.cn/TrustAsiaRSADVTLSCAG3.crt0)
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.00000000043C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enLG
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942820739.0000000003928000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://lb.luob727sgdsg.top:7777/wang/9wb-JLCMX.txt
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942820739.0000000003928000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://lb.luob727sgdsg.top:7777/wang/9wb-JLCMX.txtP
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906569619.000000000449C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1905087731.00000000093FD000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906277482.000000000449B000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1904986353.00000000093F8000.00000004.00000020.00020000.00000000.sdmp, 8AB1ABABF0945E38D11565C49B5119C1.1.drString found in binary or memory: http://ocsp.comodoca.com0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.comc
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2943298118.0000000004393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.trust-provider.cn0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top/mNdhx
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top/qN
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/L
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2943298118.000000000434C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm-
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm/
Source: 4qOTcmSTSq.exe, 00000001.00000002.2941348877.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm/xjlcm/link.htmeH
Source: 4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm00T
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm3
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm7
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm:
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.00000000043C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm=J
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm?
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmA
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmCNZh
Source: 4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmF
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmMFHi
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmS
Source: 4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmT
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmUC5
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmW
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmd
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htme
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htment
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmes
Source: 4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmf
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.html
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmll
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm3
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmp
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htms
Source: 4qOTcmSTSq.exe, 00000001.00000002.2943298118.000000000434C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmsr
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmstedr/en/authrootstl.cab?2abd31902ae
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmuK
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm~H
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dw507scp1q.dw507scp1q.top:11493/er
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2943298118.0000000004393000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
Source: 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004421000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004448000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000443C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000442E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bt.cn/?from=404
Source: 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094A6000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: 4qOTcmSTSq.exe, 00000001.00000003.1907288900.00000000094C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: C:\ \4qOTcmSTSq.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D360CDF54BD6ABBBD850E70454AE4E24Jump to dropped file
Source: C:\ \4qOTcmSTSq.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8AB1ABABF0945E38D11565C49B5119C1Jump to dropped file

System Summary

barindex
Detected VMProtect packer
Source: 4qOTcmSTSq.exe.0.drStatic PE information: .vmp0 and .vmp1 section names
PE file contains section with special chars
Source: 4qOTcmSTSq.exeStatic PE information: section name: .8</
Source: 4qOTcmSTSq.exeStatic PE information: section name: .<OL
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .8</
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .<OL
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory allocated: 77040000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory allocated: 75100000 page execute and read and writeJump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory allocated: 77040000 page execute and read and writeJump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory allocated: 75100000 page execute and read and writeJump to behavior
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_0391C4B71_3_0391C4B7
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_0391E2D91_3_0391E2D9
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_0391C4C71_3_0391C4C7
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_0391CE911_3_0391CE91
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_0391CB491_3_0391CB49
Source: 4qOTcmSTSq.exe.0.drStatic PE information: Number of sections : 13 > 10
Source: 4qOTcmSTSq.exeStatic PE information: Number of sections : 13 > 10
Source: 4qOTcmSTSq.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal100.troj.winEXE@3/21@5/2
Source: C:\ \4qOTcmSTSq.exeFile created: C:\Users\user\Desktop\?????I[9en].lnkJump to behavior
Source: C:\ \4qOTcmSTSq.exeMutant created: \Sessions\1\BaseNamedObjects\C: 4qOTcmSTSq.exe
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMutant created: \Sessions\1\BaseNamedObjects\C:UsersuserDesktop4qOTcmSTSq.exe
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\ \4qOTcmSTSq.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\ \4qOTcmSTSq.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 4qOTcmSTSq.exeVirustotal: Detection: 43%
Source: 4qOTcmSTSq.exeReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile read: C:\Users\user\Desktop\4qOTcmSTSq.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\4qOTcmSTSq.exe "C:\Users\user\Desktop\4qOTcmSTSq.exe"
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeProcess created: C:\ \4qOTcmSTSq.exe "C:\ \4qOTcmSTSq.exe" 7312 "C:\Users\user\Desktop\4qOTcmSTSq.exe"
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeProcess created: C:\ \4qOTcmSTSq.exe "C:\ \4qOTcmSTSq.exe" 7312 "C:\Users\user\Desktop\4qOTcmSTSq.exe"Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: mpr.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: version.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wininet.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: winmm.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wsock32.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: olepro32.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: textshaping.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ieframe.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: iertutil.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: netapi32.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: userenv.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: winhttp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wkscli.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: netutils.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: d3d11.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dcomp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dxgi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wldp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: profapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: wintypes.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: propsys.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: sspicli.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: srvcli.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: cscapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: mswsock.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: urlmon.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: msiso.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: winnsi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: mshtml.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: schannel.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: msasn1.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dpapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: gpapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: webio.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: srpapi.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: secur32.dllJump to behavior
Source: C:\ \4qOTcmSTSq.exeSection loaded: mlang.dllJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
Source: ?????I[9en].lnk.1.drLNK file: ..\..\..\\4qOTcmSTSq.exe
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeWindow found: window name: TComboBoxJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 4qOTcmSTSq.exeStatic file information: File size 19605580 > 1048576
Source: 4qOTcmSTSq.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x632600
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
Source: 4qOTcmSTSq.exeStatic PE information: section name: .8</
Source: 4qOTcmSTSq.exeStatic PE information: section name: .<OL
Source: 4qOTcmSTSq.exeStatic PE information: section name: .NewSec
Source: 4qOTcmSTSq.exeStatic PE information: section name: .E.3
Source: 4qOTcmSTSq.exeStatic PE information: section name: .vmp0
Source: 4qOTcmSTSq.exeStatic PE information: section name: .vmp1
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .8</
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .<OL
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .NewSec
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .E.3
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .vmp0
Source: 4qOTcmSTSq.exe.0.drStatic PE information: section name: .vmp1
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_038F8BEF push ebp; ret 1_3_038F8BF0
Source: C:\ \4qOTcmSTSq.exeCode function: 1_3_03923355 push FFFFFF9Dh; retf 1_3_0392335B
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile created: C:\ \4qOTcmSTSq.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Deletes itself after installation
Source: C:\ \4qOTcmSTSq.exeFile deleted: c:\users\user\desktop\4qotcmstsq.exeJump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 77040005 value: E9 2B BA E8 FF Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 76ECBA30 value: E9 6B 4E 9A 8A Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 77040017 value: E9 7C 8E ED FF Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 76F18E90 value: E9 9B 7A 95 8A Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 75100005 value: E9 8B 8A ED FF Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 74FD8A90 value: E9 1B 7D 89 8C Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 75100014 value: E9 1C 02 F0 FF Jump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeMemory written: PID: 7312 base: 75000230 value: E9 0B 06 87 8C Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 77040005 value: E9 2B BA E8 FF Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 76ECBA30 value: E9 6B 4E 9A 8A Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 77040017 value: E9 7C 8E ED FF Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 76F18E90 value: E9 9B 7A 95 8A Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 75100005 value: E9 8B 8A ED FF Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 74FD8A90 value: E9 1B 7D 89 8C Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 75100014 value: E9 1C 02 F0 FF Jump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory written: PID: 7396 base: 75000230 value: E9 0B 06 87 8C Jump to behavior
Uses known network protocols on non-standard ports
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 7777
Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 7777
Source: unknownNetwork traffic detected: HTTP traffic on port 7777 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 7777
Source: C:\ \4qOTcmSTSq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
Source: C:\ \4qOTcmSTSq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\ \4qOTcmSTSq.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D7FD69705CBB61708066FF39A562D737E4EA77CE BlobJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\ \4qOTcmSTSq.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\ \4qOTcmSTSq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ \4qOTcmSTSq.exeMemory allocated: 8D70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944949472.000000000733E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
Source: 4qOTcmSTSq.exe, 00000000.00000002.1750163959.0000000007679000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000000.00000003.1704308496.0000000006130000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1769779499.000000000611C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944949472.000000000733E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.00000000043C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\4qOTcmSTSq.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\ \4qOTcmSTSq.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ \4qOTcmSTSq.exeSocket bind: port: 49730Jump to behavior
Source: C:\ \4qOTcmSTSq.exeSocket bind: port: 49763Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		1
Credential API Hooking		1
Query Registry		Remote Services1
Credential API Hooking		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		12
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Virtualization/Sandbox Evasion		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Remote Access Software		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets11
Peripheral Device Discovery		SSHKeylogging2
Non-Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input Capture12
Application Layer Protocol		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4qOTcmSTSq.exe43%VirustotalBrowse
4qOTcmSTSq.exe32%ReversingLabsWin32.PUA.Generic
4qOTcmSTSq.exe100%AviraHEUR/AGEN.1332402
4qOTcmSTSq.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ \4qOTcmSTSq.exe100%AviraHEUR/AGEN.1332402
C:\ \4qOTcmSTSq.exe100%Joe Sandbox ML
C:\ \4qOTcmSTSq.exe32%ReversingLabsWin32.PUA.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmp0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm0%Avira URL Cloudsafe
http://www.acabogacia.org/doc00%Avira URL Cloudsafe
http://www.e-me.lv/repository00%Avira URL Cloudsafe
http://ocsp.suscerte.gob.ve00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/L0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htme0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htms0%Avira URL Cloudsafe
http://www.certplus.com/CRL/class3.crl00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.html0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmf0%Avira URL Cloudsafe
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmCNZh0%Avira URL Cloudsafe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz00%Avira URL Cloudsafe
http://www.pkioverheid.nl/policies/root-policy00%Avira URL Cloudsafe
http://www.certplus.com/CRL/class3P.crl00%Avira URL Cloudsafe
http://www.suscerte.gob.ve/lcr0#0%Avira URL Cloudsafe
http://ca.disig.sk/ca/crl/ca_disig.crl00%Avira URL Cloudsafe
http://www.suscerte.gob.ve/dpc00%Avira URL Cloudsafe
http://crl.ssc.lt/root-c/cacrl.crl00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm=J0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmT0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmes0%Avira URL Cloudsafe
http://www.disig.sk/ca/crl/ca_disig.crl00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmd0%Avira URL Cloudsafe
http://www.globaltrust.info0=0%Avira URL Cloudsafe
http://www.defence.gov.au/pki00%Avira URL Cloudsafe
http://www.sk.ee/cps/00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm0%Avira URL Cloudsafe
http://ocsp.trust-provider.cn00%Avira URL Cloudsafe
http://www.anf.es0%Avira URL Cloudsafe
http://crl.postsignum.cz/crl/psrootqca4.crl020%Avira URL Cloudsafe
http://pki.registradores.org/normativa/index.htm00%Avira URL Cloudsafe
http://www.ssc.lt/cps030%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmstedr/en/authrootstl.cab?2abd31902ae0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmW0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/0%Avira URL Cloudsafe
https://www.anf.es/address/)1(0&0%Avira URL Cloudsafe
http://www.certicamara.com/dpc/0Z0%Avira URL Cloudsafe
http://crl.ssc.lt/root-b/cacrl.crl00%Avira URL Cloudsafe
http://www.anf.es/es/address-direccion.html0%Avira URL Cloudsafe
http://lb.luob727sgdsg.top/wang/9wb-JLCMX.txt0%Avira URL Cloudsafe
http://ca.mtin.es/mtin/ocsp00%Avira URL Cloudsafe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G0%Avira URL Cloudsafe
http://www.dnie.es/dpc00%Avira URL Cloudsafe
https://www.anf.es/AC/ANFServerCA.crl00%Avira URL Cloudsafe
http://ca.mtin.es/mtin/DPCyPoliticas00%Avira URL Cloudsafe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf00%Avira URL Cloudsafe
https://repository.tsp.zetes.com00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htment0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmll0%Avira URL Cloudsafe
http://www.globaltrust.info00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm~H0%Avira URL Cloudsafe
http://acedicom.edicomgroup.com/doc00%Avira URL Cloudsafe
https://crl.anf.es/AC/ANFServerCA.crl00%Avira URL Cloudsafe
http://ac.economia.gob.mx/last.crl0G0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmuK0%Avira URL Cloudsafe
http://www.disig.sk/ca0f0%Avira URL Cloudsafe
http://www.sk.ee/juur/crl/00%Avira URL Cloudsafe
http://crl.chambersign.org/chambersignroot.crl00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/er0%Avira URL Cloudsafe
http://crl.ssc.lt/root-a/cacrl.crl00%Avira URL Cloudsafe
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf00%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmsr0%Avira URL Cloudsafe
https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm30%Avira URL Cloudsafe
http://www.pkioverheid.nl/policies/root-policy-G200%Avira URL Cloudsafe
http://www.e-trust.be/CPS/QNcerts0%Avira URL Cloudsafe
http://ocsp.ncdc.gov.sa00%Avira URL Cloudsafe
http://crl2.postsignum.cz/crl/psrootqca4.crl010%Avira URL Cloudsafe
http://lb.luob727sgdsg.top:7777/wang/9wb-JLCMX.txtP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
lb.luob727sgdsg.top
103.8.70.183
truetrue
    		unknown
    dw507scp1q.dw507scp1q.top
    		103.192.209.66
    		truefalse
      		unknown
      crt.trust-provider.cn
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://lb.luob727sgdsg.top/wang/9wb-JLCMX.txttrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htms4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.certplus.com/CRL/class3.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.e-me.lv/repository04qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.acabogacia.org/doc04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.chambersign.org/chambersroot.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/L4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://ocsp.suscerte.gob.ve04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmp4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.html4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htme4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmf4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.dhimyotis.com/certignarootca.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.chambersign.org14qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.pkioverheid.nl/policies/root-policy04qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://repository.swisssign.com/04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmCNZh4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.suscerte.gob.ve/lcr0#4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.bt.cn/?from=4044qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004421000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004448000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000443C000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000442E000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.ssc.lt/root-c/cacrl.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://ca.disig.sk/ca/crl/ca_disig.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crl1.comsign.co.il/crl/comsignglobalrootca.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.certplus.com/CRL/class3P.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.suscerte.gob.ve/dpc04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm=J4qOTcmSTSq.exe, 00000001.00000002.2944080500.00000000043C4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmS4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmT4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmes4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.certplus.com/CRL/class2.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.disig.sk/ca/crl/ca_disig.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.defence.gov.au/pki04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmF4qOTcmSTSq.exe, 00000001.00000002.2941419202.0000000000526000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.sk.ee/cps/04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.globaltrust.info0=4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmd4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.trust-provider.cn04qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004406000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2943298118.0000000004393000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.anf.es4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.postsignum.cz/crl/psrootqca4.crl024qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pki.registradores.org/normativa/index.htm04qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://policy.camerfirma.com04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.ssc.lt/cps034qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmW4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmstedr/en/authrootstl.cab?2abd31902ae4qOTcmSTSq.exe, 00000001.00000002.2944080500.000000000445E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/4qOTcmSTSq.exe, 00000001.00000002.2942795030.00000000038D0000.00000004.00001000.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.anf.es/es/address-direccion.html4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.anf.es/address/)1(0&4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://ca.mtin.es/mtin/ocsp04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.ssc.lt/root-b/cacrl.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://web.ncdc.gov.sa/crl/nrcacomb1.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.certicamara.com/dpc/0Z4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://wwww.certigna.fr/autorites/0m4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.dnie.es/dpc04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htment4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ca.mtin.es/mtin/DPCyPoliticas04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.anf.es/AC/ANFServerCA.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://repository.tsp.zetes.com04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmll4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.globaltrust.info04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://certificates.starfieldtech.com/repository/16044qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://acedicom.edicomgroup.com/doc04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://crl.anf.es/AC/ANFServerCA.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htm~H4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://ac.economia.gob.mx/last.crl0G4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.catcert.net/verarrel4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.disig.sk/ca0f4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.e-szigno.hu/RootCA.crl4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907264404.00000000094B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sk.ee/juur/crl/04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmuK4qOTcmSTSq.exe, 00000001.00000002.2944080500.0000000004477000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crl.chambersign.org/chambersignroot.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907061458.000000000949F000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://crl.xrampsecurity.com/XGCA.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://certs.oati.net/repository/OATICA2.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.oces.trust2408.com/oces.crl04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.quovadis.bm04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.ssc.lt/root-a/cacrl.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmsr4qOTcmSTSq.exe, 00000001.00000002.2943298118.000000000434C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://certs.oaticerts.com/repository/OATICA2.crl4qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://dw507scp1q.dw507scp1q.top:11493/er4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000094C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://certs.oati.net/repository/OATICA2.crt04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.accv.es004qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.pkioverheid.nl/policies/root-policy-G204qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dw507scp1q.dw507scp1q.top:11493/9en/aw/wb/xjlcm/link.htmm34qOTcmSTSq.exe, 00000001.00000002.2946211677.0000000009460000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.e-trust.be/CPS/QNcerts4qOTcmSTSq.exe, 00000001.00000003.1906835908.00000000094AE000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1907134684.00000000094BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://ocsp.ncdc.gov.sa04qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://fedir.comsign.co.il/crl/ComSignCA.crl04qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl2.postsignum.cz/crl/psrootqca4.crl014qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://lb.luob727sgdsg.top:7777/wang/9wb-JLCMX.txtP4qOTcmSTSq.exe, 00000001.00000002.2942820739.0000000003928000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://web.ncdc.gov.sa/crl/nrcaparta1.crl4qOTcmSTSq.exe, 00000001.00000003.1906835908.0000000009446000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.datev.de/zertifikat-policy-int04qOTcmSTSq.exe, 00000001.00000003.1906996730.0000000009487000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000002.2946211677.00000000093F0000.00000004.00000020.00020000.00000000.sdmp, 4qOTcmSTSq.exe, 00000001.00000003.1906835908.000000000946D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    103.8.70.183
                                                                    		lb.luob727sgdsg.topChina
                                                                    		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                    103.192.209.66
                                                                    		dw507scp1q.dw507scp1q.topChina
                                                                    		17907NUSKOPENuSkopePtyLtdAUfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1580858
                                                                    Start date and time:2024-12-26 12:13:08 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 50s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:7
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:4qOTcmSTSq.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:2062623f5b2697dd4afab644624bbcba.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.winEXE@3/21@5/2
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 3
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 23.32.238.152, 23.32.238.121, 4.175.87.197, 13.107.246.63
                                                                    • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, crt.usertrust.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, crt.comodoca.com
                                                                    • Execution Graph export aborted for target 4qOTcmSTSq.exe, PID 7396 because there are no executed function
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    AARNET-AS-APAustralianAcademicandResearchNetworkAARNehttps://fsharetv.co/Get hashmaliciousUnknownBrowse
                                                                    • 103.67.200.64
                                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                                    • 103.166.191.136
                                                                    loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                                    • 103.176.143.37
                                                                    splm68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 130.56.86.105
                                                                    nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                    • 103.0.199.92
                                                                    jklspc.elfGet hashmaliciousUnknownBrowse
                                                                    • 144.205.100.54
                                                                    nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 138.25.80.65
                                                                    nabarm.elfGet hashmaliciousUnknownBrowse
                                                                    • 137.92.98.69
                                                                    nabx86.elfGet hashmaliciousUnknownBrowse
                                                                    • 103.180.140.64
                                                                    nklmpsl.elfGet hashmaliciousUnknownBrowse
                                                                    • 150.203.42.43
                                                                    NUSKOPENuSkopePtyLtdAUla.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                    • 103.192.208.34
                                                                    amen.spc.elfGet hashmaliciousMiraiBrowse
                                                                    • 103.192.195.66
                                                                    la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 103.192.195.20
                                                                    bin.i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                    • 119.40.108.212
                                                                    SecuriteInfo.com.Win32.MalwareX-gen.23947.21328.exeGet hashmaliciousBlackMoonBrowse
                                                                    • 103.192.208.114
                                                                    SecuriteInfo.com.Win32.MalwareX-gen.23947.21328.exeGet hashmaliciousBlackMoonBrowse
                                                                    • 103.192.208.112
                                                                    SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dllGet hashmaliciousUnknownBrowse
                                                                    • 103.192.208.102
                                                                    SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dllGet hashmaliciousUnknownBrowse
                                                                    • 103.192.208.113
                                                                    eRpXfULExv.elfGet hashmaliciousMiraiBrowse
                                                                    • 103.192.195.22
                                                                    SV7jDbNsJl.elfGet hashmaliciousMiraiBrowse
                                                                    • 121.54.185.121

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\ \ - -+-+\Data\+ i .pak

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2750008
                                                                    Entropy (8bit):7.998572577630885
                                                                    Encrypted:true
                                                                    SSDEEP:49152:thKiOhuVLsNRnaJTppzdtSFRTvZBodv+nc3LJTRHoDPWJJnlLH0573hxpU:thKth4Lsfa/Q7R+Zf3DHcuJJnNWbhxpU
                                                                    MD5:D3D4A4A13E1ECDDABA77D465BAA69D07
                                                                    SHA1:45C03C464926D41B6A03B6F2512467593BA80881
                                                                    SHA-256:3708B8919FC963A7A4E067065894252075BFE8731038F26D11323C3FE78B5DDF
                                                                    SHA-512:B8DB35895C57240DD66E124742C98A320802E9DB2851BF3964FCEEEF9CF720BE6FC438E2060477E2496ACD853E65F84F0F37CF23A28217995574117A03B89261
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.GEEPAK3...m....aq.Y......K..dH5..r..&r.....41.,^!...d.3.a...............^_....g.Rt.Y<.p..D.W...a.8..o...Q.H.W..1fWY"H.-.>....h...e.kS..|R.......E.Z.=...i+Iqv..u...3.|..W..\h.j.."..p....3..hc3...:l...8.3ha....<mE9I......@......'<.Ku.....R...$...#..>.p!..#.>..3+8..p+.W..0t.S.V.0 ....l..yyn...~"43.E...xz>[U...b(.....k.2.r{...sd..*"5w.......oK=.U9"q23.#.>E.S?...lt.w....5.G......02.A.(.-o_S/.P..v;<E@/"..?/gTa\.4yw).A$I..3...p.:.:)...Mgo......2y.%.H....{2....y3T.N1...&..`B.xqy...ysW.:...D.=...jp....> .H.2.>..2+...M..Wq.4t...V.;'.7,.l:.py;v..U.?3...uxt>....'....i..2?.[{A..s$..*b5w.W...Y.oK}.U9bq23.#.>..S?..,t.wU...u.G.^....02...(.mo_So.P..v;<.@/"E.?/'Ta\Y4ywi.A$...3...p.:.:i....go.....2y.e.H....{r....y3..N1....f..`..xq9...9sW.z.....=...jp...~ .Hz2.>h.2+.....W..4tY..VE;'..,.l..py.v...?3.....xt>......'........2..[{...s.*.5w......oK..U9.q23.#.>..S?....t.w.....G.....02...(..o_S..P..v;<.@/"..?/.Ta\.4yw..A$...3...pT:.:.....go.....I2y...H.1..{......y3.N1Q.....

                                                                    C:\ \4qOTcmSTSq.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\4qOTcmSTSq.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19605580
                                                                    Entropy (8bit):7.9748954413983935
                                                                    Encrypted:false
                                                                    SSDEEP:393216:QdAN7DBrusfBRVsScM+N9UeVzrVOEGYXwSWe834h9qoTnMqZ:VN7DXBRVslM+N9/7OExWe83iL
                                                                    MD5:2062623F5B2697DD4AFAB644624BBCBA
                                                                    SHA1:64F39311B47432FD60310335ED1D1533A4BC58F0
                                                                    SHA-256:52193DD36EF4DC531BEFF1FD5330283DDAE1D37137ABD9AC7ECBE4719DDA57C4
                                                                    SHA-512:F5862CF4F6932331C22AE8BB1DAF749AAD5FD0C8B6A5ED322A61C03B5F4D1606B2C90CAA4C8A13CE09A061DB228F9E9C96021FF7FE575B1AAE160F963B63EA3E
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 32%
                                                                    Reputation:low
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................<?...............................................q..................@...........................e..h.....q..8..................................................8........................ O.............................CODE................................ ..`DATA.....U..........................@...BSS.....=(...P...........................idata...5..........................@....tls....4................................rdata..............................@..P.8</....|(..........................@..@.<OL.....0..........................@..@.NewSec......@6..........................E.3.....P...@...................... ..`.vmp0.....(.........................`....vmp1....%c..p...&c.................`....rsrc....8....q.

                                                                    C:\ \Data\GodBlessItems.dat

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1787
                                                                    Entropy (8bit):5.741665960087809
                                                                    Encrypted:false
                                                                    SSDEEP:24:PnXySy2DJ7+ak0JMTcJC+JuvYnKslJ7LyuEx7VR638cc:vXLy7W+cTgm5Ly35R68cc
                                                                    MD5:D8B3360A7CFBB70B050C38E6C904CCAC
                                                                    SHA1:E94670BE6959E0F62B169849A34EB1CA16D7BBB4
                                                                    SHA-256:2F255323461AEE4BE3B83A8AA27F6CD704A1A4ACC593202DB33FFED62365DE01
                                                                    SHA-512:D8F07AF7552C3AE5C725EFF897B522AF652BEA035D691336456ECBAB6E183317AC462F10B31D2FA997C8333DF2FEEE574F39D6D3299673B2D336E1AE6B0C3294
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:title1=.............title2=.............title3=.............title4=............title5=.............title6=.............title7=.............title8=............title9=............title10=............title11=...........title12=............. ....;.....................................................1=116/..................2=116/..................\116/...100.....................3=116/...................\116/...100.....................4=116/..................\116/...100.....................5=116/...................\116/...100.....................6=116/...................\116/...100.....................7=116/...................\116/...100.....................8=116/..................\116/...100.....................9=116/..................\116/...100.....................10=116/..................\116/...100.....................11=116/.................\116/...100.....................12=116/.......

                                                                    C:\ \Data\MapDesc1.dat

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):1499
                                                                    Entropy (8bit):5.4212564172041375
                                                                    Encrypted:false
                                                                    SSDEEP:24:5acCXWN71sUZc6j96vDkegWl/xAJMM2P7XxxDFwymPGpTT5RE:7ImjgiWdxprKGC
                                                                    MD5:C96E37BDACD3D08EF75CC5FD7466E00B
                                                                    SHA1:8A8B84B48374C1B9CE86CC80D4435FCC87043808
                                                                    SHA-256:3620B152A6579DF7D283ECADC07650F7D26407E677F93419FF19726C948BF95D
                                                                    SHA-512:372EFCE9E9C667138EB2EE4A6716E25850BB4C5E115C69DEE3D1BA7118787BBCCAF568D91CC708F72FCEFDD76D842D72CF64821ACD6AD08C4D3208628420E519
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:........,178,99,......,$7BBDCE,0..........,189,80,......,$7BBDCE,0............,200,48,......,$7BBDCE,0............,52,18,......,$7BBDCE,0...........,176,18,......,$7BBDCE,0...........,170,27,......,$7BBDCE,0.............,83,105,......,$7BBDCE,0.............,79,74,......,$7BBDCE,0..........,271,31,......,$7BBDCE,0..........,243,43,......,$7BBDCE,0..........,177,90,......,$7BBDCE,0..........,173,15,......,$7BBDCE,0............,28,21,......,$7BBDCE,0............,19,17,......,$7BBDCE,0............,27,25,......,$7BBDCE,0............,96,97,......,$7BBDCE,0...........,274,20,......,$7BBDCE,0...........,59,25,......,$7BBDCE,0...........,329,64,......,$7BBDCE,0...........,187,37,......,$7BBDCE,0............,276,34,......,$7BBDCE,0............,264,16,......,$7BBDCE,0...........,40,30,......,$7BBDCE,0...........,275,25,......,$7BBDCE,0...........,110,77,.......,$24ff00,0..........

                                                                    C:\ \Data\SkillDesc.dat

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):11181
                                                                    Entropy (8bit):6.086415537252552
                                                                    Encrypted:false
                                                                    SSDEEP:192:jdxxGoV/2v8kU6kvT291v4eVJfcJCKyvoWQw6ScvWO1BDDmReZNm:ZxxGoV/2v8kU6cT23v4eVJfcJCKyvoWX
                                                                    MD5:125C6B207692B4AF64B640018296FA4F
                                                                    SHA1:272802E29108C3E134E7DE7EFB03A063A140B87C
                                                                    SHA-256:DF41C432A6015C9CA0942F06C7E47030943BAD54C75D7475DE4EE428CA37D8BB
                                                                    SHA-512:6A17DCD24C7707FA90A55D1734DA1885375183E2D684907E1D85DE018F98DC5D69BE3DEFEAA0F3D6BBFCCCA3FBCE45C74A2D75FD38E1E83266D8F4BEDE99207E
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.......,..........,..........................,......,.......................................,.......,..........................................,......,............................................,.....,........................................,.......,..................................,.....,....................................,......,.............................................,.......,...........................,......,........................,.....,........................................,...,.....................................,......,...................................,.......,............................................,......,......................................,........,..........................,.....,..........................,.......,................................,.....,...........................

                                                                    C:\ \Data\SkillUpgradeDesc.Dat

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:ISO-8859 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):59
                                                                    Entropy (8bit):4.714950625809617
                                                                    Encrypted:false
                                                                    SSDEEP:3:GZvfsdLfUh/yvMJhFX03VEkv:GAfUhavMJfXSz
                                                                    MD5:819C75D7F0D363EB704AF8AFAFADBEE3
                                                                    SHA1:13EA7DD71A612A294BCD39B22AFA9A6CD56B1B98
                                                                    SHA-256:2539C2D752770A51D2BD192F2266A80C76388942A348193F55D34AF3A1169E88
                                                                    SHA-512:DBA5C02C861B3CA3193AAD21BCD8AC6BD4E2804A0B9938259E655201D1740E1589A768A29C6C828E50D2D7C883F54AFAAB27C248843611EFB251C00F5D387D34
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:;........(......./.......),......,.........,.........

                                                                    C:\ \Map\JL01A.map

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):42052
                                                                    Entropy (8bit):1.8670886371991373
                                                                    Encrypted:false
                                                                    SSDEEP:384:YNEe2MNCjpFwiiCUZpAiD2s392YeGTxGI42WlPAyFIIv/:3HhjpLiCaRiPYLxGb/hd2Iv
                                                                    MD5:4071ABB7FE2D31400DF8F5050EE53936
                                                                    SHA1:F2C65A4A4ACAEEFBFDCFC6B490C674848B2CA29C
                                                                    SHA-256:0F640922AF5ED722035B6275A6DD36810736E4237F2771F3FF6B45A8AFCAC1ED
                                                                    SHA-512:2C3BA4FD6DF9F6A0E46FACE68562A2B04B28EDCA50700FA0E36C7FB1DDB564450F3EC78BA98CE5D85A2F3262BEF065EDE36A6A38E0D2FF94216AB796EEAAA121
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:2.<..Legend of mir....6w.,.@....GMGJX.COM........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S..0..........S.._..........S..........

                                                                    C:\ \Map\JL01S.map

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):677652
                                                                    Entropy (8bit):1.7599710726590023
                                                                    Encrypted:false
                                                                    SSDEEP:3072:HqsNesaXAsjmsOdn5w4MGDvZNZiavpm33/sSARra0Vh767VueK30EO9cd2A6SLxD:rcTSJiy0EAY0kd/66ulIoeiu
                                                                    MD5:8D53D10F76934CA2506AC6A8551B44C3
                                                                    SHA1:A77228366F5F96548BD89C922CE25271AFEF230C
                                                                    SHA-256:DD16A87D603378D8215964CE0C4D49D298D7A14459553139E5B5997391B455A3
                                                                    SHA-512:556BB12D111D8A0EB3564795A1B895C3F44237FE47B9EAD8CA1D20ABAB7F32FB654AEE0975B235D8F936584C6930D82464133ABF9BCD9757B048C7A8972CF314
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.....Legend of mir..F....,.@....GMGJX.COM.......................T...........................T...........h...............T...........................T...........................T..............T..%.........TT..f..........T............TT..8..........T..D.........TT..s..........T............TT.............T............TT.............T..S.........TT..........................T...........................T...........................T...........................T...........................T...........................T...........................T...........................T...........................T...........................T..............T".7.........TT..........................T...........................T...........................T...........................T..............."...........T...........................T...........................T...........................T...........................T...........................T...........................T...............C...........T...........

                                                                    C:\ \Patch0.d3d

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                    Category:dropped
                                                                    Size (bytes):2820618
                                                                    Entropy (8bit):7.998888574641386
                                                                    Encrypted:true
                                                                    SSDEEP:49152:8nphcyW9QrxUNhno5T//V6l6Fb73npSoaUZfUUTzp+7j4UElphVtBdJEhx:Ephcb9ixU/o513naUZ8EpAsl3hzeH
                                                                    MD5:A9C8E4CBF80CD75EC3E4FFADDE347ECA
                                                                    SHA1:AE6650FD6CDE2DD8830101C6F0A1E7252E02A04F
                                                                    SHA-256:34517F198BB161CFD9BD14A619AC242F3A4FCBC968728C3E8102AB5FCC5BDC67
                                                                    SHA-512:A259DC8EA666216FF675316E2F57C61ADEE596CAB00F0F4FB15726C6BA4B5297BCF7830AD486AE7B28582F983B0CBD6FF1A2CBA60E98CD5BBA5791D9E7D6E923
                                                                    Malicious:false
                                                                    Preview:PK........,.gY................Data/GodBlessItems.dat...j.@......70....y.n.(t.....`0...M.....Q(-]t!..X..H....6.........3.I. }..p..Z[..|`D#.H.."...4..`ed...U.4.c.....2...P..[.y....N.>Ba..Z.3.....B!..wo..).I..NE...~.C..L.........^?.O...H@..Rb./.Wijg..E*bPQo..E+...t.k..=R..<.....M..4.._.e./Q...S.........yx....<|........j..(.....)..@N...6.......<O... ...3...l.._J..T.(.`$...`.J.~sg..,{......o.R.)..6*.S.?.%.'..Q.O..lT.@p6*.PTk6*.S 3....P`0..|..e..7.U....qQ.......!..PK........,.gYB..O............Data/MapDesc1.dat..]K.@......^...H2.[]...L..._...Z..hS.X.mq..X.... z.t&..xV......9g..........U.ZC..=...}Z..|...6..Yp..C.!.\4,s...i..d...c....9[..Q...e..E.m.^.\U..kO1.......~...P.g>.C.....BR.F..7.. 9.C..'.<./]M.....b\...>.q..>..n.X..A..!.t..I.i..l.qZ.....u...m?.zIm.;...!...n.....auRh.<R.\.d..n...y.8|...@.>...Cy@......`}..IO...)...?......'...k......W...C.I..dn..sI......R..~@b...W.L....}\..u...F#g.....0[...[..6_.&!`..1g.`U[v....8.Y."m.9......./......PK...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                    Category:dropped
                                                                    Size (bytes):71954
                                                                    Entropy (8bit):7.996617769952133
                                                                    Encrypted:true
                                                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                    Malicious:false
                                                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8AB1ABABF0945E38D11565C49B5119C1

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Certificate, Version=3
                                                                    Category:dropped
                                                                    Size (bytes):1413
                                                                    Entropy (8bit):7.480496427934893
                                                                    Encrypted:false
                                                                    SSDEEP:24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
                                                                    MD5:285EC909C4AB0D2D57F5086B225799AA
                                                                    SHA1:D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                                                                    SHA-256:68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
                                                                    SHA-512:4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
                                                                    Malicious:false
                                                                    Preview:0...0..i.......9rD:.".Q..l..15.0...*.H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0...*.H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D360CDF54BD6ABBBD850E70454AE4E24

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Certificate, Version=3
                                                                    Category:dropped
                                                                    Size (bytes):1635
                                                                    Entropy (8bit):7.492661403315593
                                                                    Encrypted:false
                                                                    SSDEEP:24:Eth7Ij30V6osl3T5jdsnwqP3UlGOzLX7JgobKid5usVGcqE1QsK0/ILdJWaq:c4OdshsnTP3qLX7JgytrusVdqnsRiJ3q
                                                                    MD5:4008DD62FB2BE43856CFA2BB2DD56F00
                                                                    SHA1:D7FD69705CBB61708066FF39A562D737E4EA77CE
                                                                    SHA-256:0E5B00721B63C04A57E04135A4A9042C4965B4F50C505FE26D34E0E71855EE47
                                                                    SHA-512:122C9989C2CE4C6B2D151EC7349272536047A088552852BFDC428FCD52F37275B00E224A3C9831BB3751D5D4146233135828EEEC8F045E5C200E80B732F716AC
                                                                    Malicious:false
                                                                    Preview:0.._0..G..........U..4-.&.....F0...*.H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...220420000000Z..320419235959Z0Y1.0...U....CN1%0#..U....TrustAsia Technologies, Inc.1#0!..U....TrustAsia RSA DV TLS CA G30...0...*.H.............0..........}.._j.....c...zr...."....@K-.D,....x.vM.a......?.E.f"g...4......%.#.Xt....<.c...WW.e.._^.....,h5.9.]N.9..ff..26.Yk........."............"1..^.2.......$.../+.xo|.>.R.......2..Yk:.5...r......a..&u...@c-.z....<..Z6Ki@P.8@`:...Y.....\/ ........=.......[..I...,].B..d.B..%.Z.;;...t....q....b.....%.Q.,.....]..=.Q...."..I.....;.[....v.>.....aM}.R...P.....wa..E....x.R...........p0..l0...U.#..0...Sy.Z.+J.T.......f.0...U...........3._.......\....0...U...........0...U.......0.......0...U.%..0...+.........+.......0"..U. ..0.0...+.....1...10...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0q..+.......

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):328
                                                                    Entropy (8bit):3.141785112603811
                                                                    Encrypted:false
                                                                    SSDEEP:6:kK71hL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:j1hiDnLNkPlE99SNxAhUe/3
                                                                    MD5:685FED215B1BCD3FAE5424B96E0890BC
                                                                    SHA1:005764F86242EE514B8430610E71B00436EE2BAE
                                                                    SHA-256:8F23EF7350F02C2596AE2DDE80BDA529BF34E8AA582FF2D47082D7F0336B2F59
                                                                    SHA-512:6D3C92B2C382B135715AB5255A550076410AFA18CD6B6830EE29F0913B4D339A43FC14503E80E14B3DBB16D39F013FBF635ED9C17A0FF7A22CD8A896C7C53E35
                                                                    Malicious:false
                                                                    Preview:p...... ........:..P.W..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8AB1ABABF0945E38D11565C49B5119C1

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):296
                                                                    Entropy (8bit):3.1874435727743795
                                                                    Encrypted:false
                                                                    SSDEEP:6:kKxlt8QolNbjMulgokG8aWebhafcDWV+vG1bod7lF/:Xt8vlNnMuldk1LSaPVdbs
                                                                    MD5:53295E973CFE9993744C3FAA20D65110
                                                                    SHA1:174F03A7608D8B9FE8527549F653414BC7184E53
                                                                    SHA-256:AFCD356F033E4B0CD9C9A1F8B00A894DC849268F0149334F2DF583217C414445
                                                                    SHA-512:B374EE35626635E32C01F0BE59B1CE7802A0CFA32CEFBFD18992A09D779A46FF5FCDFAA36DBC7A5E5DE19DDAEC4A19FF2671995B8A10FC931E302835AD63092E
                                                                    Malicious:false
                                                                    Preview:p...... ....^....w_O.W..(....................................................... .........(.f....Q..V...............h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.A.A.C.A...c.r.t...".d.8.9.e.3.b.d.4.3.d.5.d.9.0.9.b.4.7.a.1.8.9.7.7.a.a.9.d.5.c.e.3.6.c.e.e.1.8.4.c."...

                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D360CDF54BD6ABBBD850E70454AE4E24

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):312
                                                                    Entropy (8bit):3.2263057795563115
                                                                    Encrypted:false
                                                                    SSDEEP:6:kKCh88dRle12iAanMiMiiMa322SzfuGeXjdSbNn:08+Rl02iLnMEiMI24GeXsbN
                                                                    MD5:18207FEF1A4D7316D5DD165F742C0B14
                                                                    SHA1:B57DF588C8EE5A2DCB41626158247116C4EE4B51
                                                                    SHA-256:6A134A8FE9BBA0CE120D75592C31B959149BBBF87CAA6E5787F7629A5BB2264D
                                                                    SHA-512:318D7188A5AC692FC34CAABC28E37FC9B6AEEB4635DD80D290E429BF9B188BD57540E1483D86648F5DB10AD57AC76A72691610C833598A6011BB3C96E3751A1F
                                                                    Malicious:false
                                                                    Preview:p...... ....n...<[.N.W..(....................................................... ...........IT...Q..V...........c...h.t.t.p.:././.c.r.t...t.r.u.s.t.-.p.r.o.v.i.d.e.r...c.n./.T.r.u.s.t.A.s.i.a.R.S.A.D.V.T.L.S.C.A.G.3...c.r.t...".d.7.f.d.6.9.7.0.5.c.b.b.6.1.7.0.8.0.6.6.f.f.3.9.a.5.6.2.d.7.3.7.e.4.e.a.7.7.c.e."...

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\errorPageStrings[1]

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4722
                                                                    Entropy (8bit):5.16192639844512
                                                                    Encrypted:false
                                                                    SSDEEP:96:z9UUiqRxqH211CUIRgRLnRynjZbRXkRPRk6C87Apsat/5/+mhPcF+5g5O8b7A9I5:JsUOG1yNlX6ZzWpHOo/iP16CbM1k
                                                                    MD5:387B4FC78ABB97F378C5299D4D2CE305
                                                                    SHA1:6F2995FC620AB520C9EE1CA7244DF57367F983A2
                                                                    SHA-256:030209A13E2C84118139ABF0C4F08DBD203B4C802C7B73B74851860D79DF9CB7
                                                                    SHA-512:592D5E3FB7C78420F648281D87B0B303773749B8E0D3621A493ACAE257E2C1E77B782F3D6DAA0C2B3D37CBB4865B382617AF744E34F66C0F3E522DBCA7D71AAE
                                                                    Malicious:false
                                                                    Preview:.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "Your PC doesn\u2019t trust this website\u2019s security certificate.";..var L_CertExpired_TEXT = "The website\u2019s security certificate is not yet valid or has expired.";..var L_CertCNMismatch_TEXT = "The hostname in the website\u2019s security certificate differs from the website you are trying to visit.";..var L

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\ErrorPageTemplate[1]

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):2168
                                                                    Entropy (8bit):5.207912016937144
                                                                    Encrypted:false
                                                                    SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                    MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                    SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                    SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                    SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                    Malicious:false
                                                                    Preview:.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\http_404_webOC[1]

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (312), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6388
                                                                    Entropy (8bit):3.8847382101645676
                                                                    Encrypted:false
                                                                    SSDEEP:48:up4d0yV4VkBXvLotC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwRpdtV:uKpMyN9JaKktZX36a7x05hwW77V
                                                                    MD5:20BF4AE51A0FA8932C6494892235994C
                                                                    SHA1:9FD92B9A36B5C635178AECB420239F012D7C6EDB
                                                                    SHA-256:A14C660AA3231464138E7CBBDA93D3009A3492045F210041446AB9E9CC6ED1F7
                                                                    SHA-512:9222A6AFBB07602F9D26AF5F0A5894AEFFD21627106C38EFC82484B10A4B09FF299273C9107337AA0D6578DE066F43C0162634D1F48741B00C968843D7C36EEB
                                                                    Malicious:false
                                                                    Preview:.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Information ico

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\ErrorPageTemplate[1]

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2168
                                                                    Entropy (8bit):5.207912016937144
                                                                    Encrypted:false
                                                                    SSDEEP:24:5+j5xU5k5N0ndgvoyeP0yyiyQCDr3nowMVworDtX3orKxWxDnCMA0da+hieyuSQK:5Q5K5k5pvFehWrrarrZIrHd3FIQfOS6
                                                                    MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
                                                                    SHA1:F4EDA06901EDB98633A686B11D02F4925F827BF0
                                                                    SHA-256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
                                                                    SHA-512:62514AB345B6648C5442200A8E9530DFB88A0355E262069E0A694289C39A4A1C06C6143E5961074BFAC219949102A416C09733F24E8468984B96843DC222B436
                                                                    Malicious:false
                                                                    Preview:.body..{...font-family: "Segoe UI", "verdana", "arial";...background-image: url(background_gradient.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;...color: #575757;..}....body.securityError..{...font-family: "Segoe UI", "verdana" , "Arial";...background-image: url(background_gradient_red.jpg);...background-repeat: repeat-x;...background-color: #E8EAEF;...margin-top: 20px;...margin-left: 20px;..}....body.tabInfo..{...background-image: none;...background-color: #F4F4F4;..}.. ..a..{...color: rgb(19,112,171);.font-size: 1em;...font-weight: normal;...text-decoration: none;...margin-left: 0px;...vertical-align: top;..}....a:link, a:visited..{...color: rgb(19,112,171);...text-decoration: none;...vertical-align: top;..}....a:hover..{...color: rgb(7,74,229);...text-decoration: underline;..}....p..{...font-size: 0.9em;..}.....h1 /* used for Title */..{...color: #4465A2;...font-size: 1.1em;...font-weight: normal;...vertical-align

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\http_404_webOC[1]

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (312), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6388
                                                                    Entropy (8bit):3.8847382101645676
                                                                    Encrypted:false
                                                                    SSDEEP:48:up4d0yV4VkBXvLotC5N9J/1a5TI7kZ3GUXn3GFa7K083GJehBu01kptk7KwRpdtV:uKpMyN9JaKktZX36a7x05hwW77V
                                                                    MD5:20BF4AE51A0FA8932C6494892235994C
                                                                    SHA1:9FD92B9A36B5C635178AECB420239F012D7C6EDB
                                                                    SHA-256:A14C660AA3231464138E7CBBDA93D3009A3492045F210041446AB9E9CC6ED1F7
                                                                    SHA-512:9222A6AFBB07602F9D26AF5F0A5894AEFFD21627106C38EFC82484B10A4B09FF299273C9107337AA0D6578DE066F43C0162634D1F48741B00C968843D7C36EEB
                                                                    Malicious:false
                                                                    Preview:.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">....<html dir="ltr">.... <head>.. <link rel="stylesheet" type="text/css" href="ErrorPageTemplate.css">.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.... <title>HTTP 404 Not Found</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:initHomepage(); expandCollapse('infoBlockID', true); initGoBack(); initMoreInfo('infoBlockID');">.... <table width="730" cellpadding="0" cellspacing="0" border="0">.... Error title -->.. <tr>.. <td id="infoIconAlign" width="60" align="left" valign="top" rowspan="2">.. <img src="info_48.png" id="infoIcon" alt="Information ico

                                                                    C:\Users\user\Desktop\?????I[9en].lnk

                                                                    Download File
                                                                    Process:C:\ \4qOTcmSTSq.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Dec 26 10:14:05 2024, mtime=Thu Dec 26 10:14:07 2024, atime=Thu Dec 26 10:14:05 2024, length=19605580, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):1529
                                                                    Entropy (8bit):3.0312727540602586
                                                                    Encrypted:false
                                                                    SSDEEP:24:89RbBzhOUQUAS20IBt3Utut3FIuht3KzBm:89JBzUpjSy3sK3b3C
                                                                    MD5:98D1A95CDF3EC34F06ECFA5BFF557CED
                                                                    SHA1:2DD2A21F15E350C4CE4A641C48E253D8BF64AE6F
                                                                    SHA-256:5745F94C6A90CA1167C0D12E91EE73CE6CD2D935FE6946846E04053BCDD40609
                                                                    SHA-512:0235DF56D310BC1ACC2AEFD4AEB31BCBB584EFA9AF864F159E8DF50F12CAACB7BEFB01EFC06F0B1A36865C41682F9B0F51A4958F42B0BC32D27EF48D93713C8A
                                                                    Malicious:false
                                                                    Preview:L..................F.@.. ...I..F.W....G.W...d.F.W..L(+..........................P.O. .:i.....+00.../C:\...................`.1......Y.Y..A1FF~1..J......Y.Y.Y.Y............................1.............................j.2.L(+..Y.Y .4QOTCM~1.EXE..N......Y.Y.Y.Y.......................... ./.4.q.O.T.c.m.S.T.S.q...e.x.e.......M...............-.......L.............'{.....C:\.........\4qOTcmSTSq.exe..$.....\.....\.....\.........................\.4.q.O.T.c.m.S.T.S.q...e.x.e...C.:.\...........................C.:.\.........................\.4.q.O.T.c.m.S.T.S.q...e.x.e.........%SystemDrive%\.........\4qOTcmSTSq.exe...........................................................................................................................................................................................................................%.S.y.s.t.e.m.D.r.i.v.e.%.\.........................\.4.q.O.T.c.m.S.T.S.q...e.x.e...............................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.9748954413983935
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:4qOTcmSTSq.exe
                                                                    File size:19'605'580 bytes
                                                                    MD5:2062623f5b2697dd4afab644624bbcba
                                                                    SHA1:64f39311b47432fd60310335ed1d1533a4bc58f0
                                                                    SHA256:52193dd36ef4dc531beff1fd5330283ddae1d37137abd9ac7ecbe4719dda57c4
                                                                    SHA512:f5862cf4f6932331c22ae8bb1daf749aad5fd0c8b6a5ed322a61c03b5f4d1606b2c90caa4c8a13ce09a061db228f9e9c96021ff7fe575b1aae160f963b63ea3e
                                                                    SSDEEP:393216:QdAN7DBrusfBRVsScM+N9UeVzrVOEGYXwSWe834h9qoTnMqZ:VN7DXBRVslM+N9/7OExWe83iL
                                                                    TLSH:DC1733DCA9B0DBC9E4E2C43005F0743C36AEC79C15A63E3BED8958669C04A05A655FFB
                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                    File Icon

                                                                    Icon Hash:5d4edcf466626c4d

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x1bb0701
                                                                    Entrypoint Section:.vmp1
                                                                    Digitally signed:false
                                                                    Imagebase:0xa10000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                    DLL Characteristics:
                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:0
                                                                    File Version Major:5
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:b76e51b7841eb216b0d8f8a6fe09b51b

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    pushfd
                                                                    push dword ptr [esp]
                                                                    pushfd
                                                                    pushad
                                                                    mov dword ptr [esp+28h], 0BCE95D8h
                                                                    jmp 00007F874547D9B8h
                                                                    mov ss, word ptr [edi]
                                                                    and dh, byte ptr [edi+27555F6Ch]
                                                                    and eax, ECF8A9B6h
                                                                    cmpsd

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x11965100x168.vmp1
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x171a0000x38ca.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x10ede380x1c.vmp1
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x14f20000xa8.vmp1
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    CODE0x10000x14dcb00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    DATA0x14f0000x155000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    BSS0x1650000x283d0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .idata0x1680000x350c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .tls0x16c0000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rdata0x16d0000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                    .8</0x16e0000x1287c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .<OL0x1810000x1e30000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .NewSec0x3640000xa000000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .E.30xd640000xf50e00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .vmp00xe5a0000x28c89b0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .vmp10x10e70000x6325ed0x632600db1c372fe10e691fdfa5596015362f75unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x171a0000x38ca0x3a0011f3ee11e1fe5445247501dc528d4ef5False0.7586206896551724data6.554200892214944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x171a12c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2688ChineseChina0.7353411513859275
                                                                    RT_ICON0x171afd40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600ChineseChina0.8023858921161826
                                                                    RT_GROUP_ICON0x171d57c0x22dataChineseChina0.9705882352941176
                                                                    RT_MANIFEST0x171d5a00x32aXML 1.0 document, ASCII text, with CRLF line terminators0.47530864197530864

                                                                    Imports

                                                                    DLLImport
                                                                    kernel32.dllGetVersion, GetVersionExA, GetVersion, IsDebuggerPresent
                                                                    user32.dllSetWindowTextA
                                                                    advapi32.dllRegCloseKey
                                                                    oleaut32.dllSafeArrayCreate
                                                                    mpr.dllWNetGetConnectionA
                                                                    version.dllGetFileVersionInfoA
                                                                    gdi32.dllGetTextExtentPoint32A
                                                                    ole32.dllReleaseStgMedium
                                                                    comctl32.dllImageList_GetImageCount
                                                                    shell32.dllSHGetPathFromIDListA
                                                                    wininet.dllHttpSendRequestA
                                                                    comdlg32.dllGetOpenFileNameA
                                                                    winmm.dlltimeGetTime
                                                                    wsock32.dlllisten
                                                                    gdiplus.dllGdipGetImageGraphicsContext
                                                                    kernel32.dllGetModuleFileNameW
                                                                    kernel32.dllGetModuleHandleA, LoadLibraryA, LocalAlloc, LocalFree, GetModuleFileNameA, ExitProcess

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    ChineseChina

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 26, 2024 12:14:11.432225943 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:11.551930904 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:11.552021980 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:11.565867901 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:11.686716080 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.175415993 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.175434113 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.175446033 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.175549984 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.396794081 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.396819115 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.396830082 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.396879911 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.396892071 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.396915913 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.396966934 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.619967937 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.619992971 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.620079994 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.622359991 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.622450113 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.622498035 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.739382029 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.739394903 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.739407063 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.739445925 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.768523932 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:13.888583899 CET777749730103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:14:13.888780117 CET497307777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:14:15.294827938 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:15.414335966 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:15.417752981 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:15.437567949 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:15.557141066 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:17.022310019 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:17.022362947 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:17.022387028 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:17.022428036 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:17.277375937 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:17.277429104 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:23.038618088 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:23.159097910 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:23.589986086 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:23.593765020 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:23.598460913 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:14:23.718005896 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:24.343023062 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:14:24.343077898 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:15:10.302108049 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:10.422092915 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:10.422169924 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:10.422414064 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:10.541903019 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.060406923 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.060435057 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.060453892 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.060491085 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.111438036 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.292385101 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.292418957 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.292437077 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.292453051 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.292473078 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.292485952 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.292535067 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.524183035 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.524245977 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.524293900 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.528335094 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.528458118 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.528498888 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.536753893 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.536843061 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.536890984 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.581032038 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.632637978 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:15:12.701050043 CET777749763103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:15:12.701128006 CET497637777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:15:12.752290010 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:15:13.181744099 CET1149349731103.192.209.66192.168.2.4
                                                                    Dec 26, 2024 12:15:13.181916952 CET4973111493192.168.2.4103.192.209.66
                                                                    Dec 26, 2024 12:16:06.961795092 CET498827777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:16:07.114743948 CET777749882103.8.70.183192.168.2.4
                                                                    Dec 26, 2024 12:16:07.114839077 CET498827777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:16:07.114993095 CET498827777192.168.2.4103.8.70.183
                                                                    Dec 26, 2024 12:16:07.234577894 CET777749882103.8.70.183192.168.2.4

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 26, 2024 12:14:10.343710899 CET5001553192.168.2.41.1.1.1
                                                                    Dec 26, 2024 12:14:11.332735062 CET5001553192.168.2.41.1.1.1
                                                                    Dec 26, 2024 12:14:11.383518934 CET53500151.1.1.1192.168.2.4
                                                                    Dec 26, 2024 12:14:11.470313072 CET53500151.1.1.1192.168.2.4
                                                                    Dec 26, 2024 12:14:13.898732901 CET5614853192.168.2.41.1.1.1
                                                                    Dec 26, 2024 12:14:14.909104109 CET5614853192.168.2.41.1.1.1
                                                                    Dec 26, 2024 12:14:15.289413929 CET53561481.1.1.1192.168.2.4
                                                                    Dec 26, 2024 12:14:15.289428949 CET53561481.1.1.1192.168.2.4
                                                                    Dec 26, 2024 12:14:17.362139940 CET5629353192.168.2.41.1.1.1

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 26, 2024 12:14:10.343710899 CET192.168.2.41.1.1.10xb36aStandard query (0)lb.luob727sgdsg.topA (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:11.332735062 CET192.168.2.41.1.1.10xb36aStandard query (0)lb.luob727sgdsg.topA (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:13.898732901 CET192.168.2.41.1.1.10xee90Standard query (0)dw507scp1q.dw507scp1q.topA (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:14.909104109 CET192.168.2.41.1.1.10xee90Standard query (0)dw507scp1q.dw507scp1q.topA (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:17.362139940 CET192.168.2.41.1.1.10x8a7aStandard query (0)crt.trust-provider.cnA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 26, 2024 12:14:11.383518934 CET1.1.1.1192.168.2.40xb36aNo error (0)lb.luob727sgdsg.top103.8.70.183A (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:11.470313072 CET1.1.1.1192.168.2.40xb36aNo error (0)lb.luob727sgdsg.top103.8.70.183A (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:15.289413929 CET1.1.1.1192.168.2.40xee90No error (0)dw507scp1q.dw507scp1q.top103.192.209.66A (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:15.289428949 CET1.1.1.1192.168.2.40xee90No error (0)dw507scp1q.dw507scp1q.top103.192.209.66A (IP address)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:17.971240997 CET1.1.1.1192.168.2.40x8a7aNo error (0)crt.trust-provider.cncrt.sectigo.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 26, 2024 12:14:17.971240997 CET1.1.1.1192.168.2.40x8a7aNo error (0)crt.sectigo.comcrt.comodoca.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • lb.luob727sgdsg.top

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.449730103.8.70.18377777396C:\ \4qOTcmSTSq.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 26, 2024 12:14:11.565867901 CET212OUTGET /wang/9wb-JLCMX.txt HTTP/1.1
                                                                    Content-Type: text/html, */*
                                                                    Content-Length: 0
                                                                    Date: Thu, 26 Dec 2024 11:14:9 GMT
                                                                    Host: lb.luob727sgdsg.top
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                                                                    Dec 26, 2024 12:14:13.175415993 CET1236INHTTP/1.1 200 OK
                                                                    Content-Type: text/plain
                                                                    Last-Modified: Thu, 26 Dec 2024 10:00:23 GMT
                                                                    Accept-Ranges: bytes
                                                                    ETag: "ea3d36fb7c57db1:0"
                                                                    Server: Microsoft-IIS/7.5
                                                                    Date: Thu, 26 Dec 2024 11:14:05 GMT
                                                                    Content-Length: 15747
                                                                    Data Raw: 3b 62 65 67 69 6e cd b7 b2 bf c7 f8 d3 f2 0d 0a 5b 53 65 72 76 65 72 5d 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 58 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 5b 7c be db c1 e9 b3 c1 c4 ac 7c 31 32 37 2e 30 2e 30 2e 31 7c 37 31 30 33 7c 31 7c 34 33 2e 32 34 38 2e 31 34 31 2e 31 34 7c 39 30 30 37 7c 30 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 55 a9 b3 a8 72 a8 75 20 20 a9 ae 20 20 20 20 20 20 a3 b2 a3 b0 a3 b2 a3 b4 a1 be be db c1 e9 b3 c1 c4 ac a1 bf 20 20 20 20 20 20 a8 55 7c be db c1 e9 b3 c1 c4 ac 7c 31 30 33 2e 35 33 2e 31 32 37 2e 38 33 7c 37 30 30 31 7c 31 7c 31 30 33 2e 35 33 2e 31 32 37 2e 38 33 7c 38 30 30 36 7c 30 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 [TRUNCATED]
                                                                    Data Ascii: ;begin[Server]251,0=26|XTTTTTTTTTTTTTTTTTTTTT[||127.0.0.1|7103|1|43.248.141.14|9007|0251,0=26|Uru U||103.53.127.83|7001|1|103.53.127.83|8006|0251,0=26|Ut r --------------------------------U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|Uut U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U 18U||10.168.105.171|70|1|127.0.0.1|0|0250,0=26|U------------------------------------------U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U :00:05[] :09:00U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U :12:00[


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449763103.8.70.18377777396C:\ \4qOTcmSTSq.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 26, 2024 12:15:10.422414064 CET212OUTGET /wang/9wb-JLCMX.txt HTTP/1.1
                                                                    Content-Type: text/html, */*
                                                                    Content-Length: 0
                                                                    Date: Thu, 26 Dec 2024 11:15:9 GMT
                                                                    Host: lb.luob727sgdsg.top
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
                                                                    Dec 26, 2024 12:15:12.060406923 CET1236INHTTP/1.1 200 OK
                                                                    Content-Type: text/plain
                                                                    Last-Modified: Thu, 26 Dec 2024 10:00:23 GMT
                                                                    Accept-Ranges: bytes
                                                                    ETag: "ea3d36fb7c57db1:0"
                                                                    Server: Microsoft-IIS/7.5
                                                                    Date: Thu, 26 Dec 2024 11:15:04 GMT
                                                                    Content-Length: 15747
                                                                    Data Raw: 3b 62 65 67 69 6e cd b7 b2 bf c7 f8 d3 f2 0d 0a 5b 53 65 72 76 65 72 5d 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 58 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 54 a8 5b 7c be db c1 e9 b3 c1 c4 ac 7c 31 32 37 2e 30 2e 30 2e 31 7c 37 31 30 33 7c 31 7c 34 33 2e 32 34 38 2e 31 34 31 2e 31 34 7c 39 30 30 37 7c 30 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 55 a9 b3 a8 72 a8 75 20 20 a9 ae 20 20 20 20 20 20 a3 b2 a3 b0 a3 b2 a3 b4 a1 be be db c1 e9 b3 c1 c4 ac a1 bf 20 20 20 20 20 20 a8 55 7c be db c1 e9 b3 c1 c4 ac 7c 31 30 33 2e 35 33 2e 31 32 37 2e 38 33 7c 37 30 30 31 7c 31 7c 31 30 33 2e 35 33 2e 31 32 37 2e 38 33 7c 38 30 30 36 7c 30 0d 0a 32 35 31 2c 30 3d a1 ee be db c1 e9 b3 c1 c4 ac a1 a4 c9 a2 c8 cb b3 c6 b0 d4 a1 a4 32 36 ba c5 d0 c2 c7 f8 a1 ee 7c a8 [TRUNCATED]
                                                                    Data Ascii: ;begin[Server]251,0=26|XTTTTTTTTTTTTTTTTTTTTT[||127.0.0.1|7103|1|43.248.141.14|9007|0251,0=26|Uru U||103.53.127.83|7001|1|103.53.127.83|8006|0251,0=26|Ut r --------------------------------U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|Uut U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U 18U||10.168.105.171|70|1|127.0.0.1|0|0250,0=26|U------------------------------------------U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U :00:05[] :09:00U||10.168.105.171|70|1|127.0.0.1|0|0251,0=26|U :12:00[


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    2192.168.2.449882103.8.70.1837777
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 26, 2024 12:16:07.114993095 CET212OUTGET /wang/9wb-JLCMX.txt HTTP/1.1
                                                                    Content-Type: text/html, */*
                                                                    Content-Length: 0
                                                                    Date: Thu, 26 Dec 2024 11:16:6 GMT
                                                                    Host: lb.luob727sgdsg.top
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:06:13:59
                                                                    Start date:26/12/2024
                                                                    Path:C:\Users\user\Desktop\4qOTcmSTSq.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\4qOTcmSTSq.exe"
                                                                    Imagebase:0xa10000
                                                                    File size:19'605'580 bytes
                                                                    MD5 hash:2062623F5B2697DD4AFAB644624BBCBA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:06:14:06
                                                                    Start date:26/12/2024
                                                                    Path:C:\ \4qOTcmSTSq.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\ \4qOTcmSTSq.exe" 7312 "C:\Users\user\Desktop\4qOTcmSTSq.exe"
                                                                    Imagebase:0xa10000
                                                                    File size:19'605'580 bytes
                                                                    MD5 hash:2062623F5B2697DD4AFAB644624BBCBA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 32%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Non-executed Functions

                                                                      Function 0391E2D9 Relevance: 1.6, Instructions: 1634COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000003.1781899344.000000000391C000.00000004.00001000.00020000.00000000.sdmp, Offset: 0391C000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_3_391c000_4qOTcmSTSq.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6ee893e76b2acdebc13570acfbb5e5507011ef60975418077c4612bec705b39b
                                                                      • Instruction ID: d36eeb311c8c0bc3672ff308890b8c95105be307e50a01b3a8149628398ab30e
                                                                      • Opcode Fuzzy Hash: 6ee893e76b2acdebc13570acfbb5e5507011ef60975418077c4612bec705b39b
                                                                      • Instruction Fuzzy Hash: 81F27F8944E7C01FDB038B705CA9691BFB46E53115B4E82EBD8C8CE4E7E29C995DD322
                                                                      Function 0391C4B7 Relevance: .6, Instructions: 643COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000003.1781899344.000000000391C000.00000004.00001000.00020000.00000000.sdmp, Offset: 0391C000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_3_391c000_4qOTcmSTSq.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 330d2987fc2f04637a33359cc2de07a42dbfc09ff4140dcfc2aee445699372cb
                                                                      • Instruction ID: 42ad35ddb4fd14649a1d035ffc0cfb7f58a4e6b938c16262a3ecc5bb545eed3c
                                                                      • Opcode Fuzzy Hash: 330d2987fc2f04637a33359cc2de07a42dbfc09ff4140dcfc2aee445699372cb
                                                                      • Instruction Fuzzy Hash: 8A62619944E7C01FEB0387705CA8691BFB46B53215F4E82EBC9C8CE4E7E29D591D9322
                                                                      Function 0391C4C7 Relevance: .6, Instructions: 639COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000003.1781899344.000000000391C000.00000004.00001000.00020000.00000000.sdmp, Offset: 0391C000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_1_3_391c000_4qOTcmSTSq.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f86d2b3e3e4f8694294628d5d7e2311e54151270764450f4faa769f8d6a25239
                                                                      • Instruction ID: 52e789eed477dc78839e6df15ea4df8d75ecfda44e160dbcb97a570cffde9db3
                                                                      • Opcode Fuzzy Hash: f86d2b3e3e4f8694294628d5d7e2311e54151270764450f4faa769f8d6a25239
                                                                      • Instruction Fuzzy Hash: F662619954E7C01FEB0387705CA4691BFB46B53215F4E82EB89C8CE0E7E29D991DD322