Windows Analysis Report
Test2.exe

Overview

General Information

Sample name: Test2.exe
Analysis ID: 1581170
MD5: 7f888b6cbd5062a7558eea61eb9a9ca2
SHA1: 2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87
SHA256: 864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad
Tags: exeQuasarRATuser-lontze7
Infos:

Detection

Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Quasar RAT, QuasarRAT Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Test2.exe Avira: detected
Antivirus detection for URL or domain
Source: llordiWasHere-55715.portmap.host Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat Avira: detection malicious, Label: BAT/Delbat.C
Found malware configuration
Source: Test2.exe Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "llordiWasHere-55715.portmap.host:55715;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "124c5996-13c0-46a2-804a-191042a109db", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "h+dzM/IShDOI6hVmZ5ntXLjXZf8jpZkAvCs+CmrfKrj7tcZntlmmf2Qj2W/+j2oFUm+TWbjrMuVRxAPpMBoPtjpiCuGijITPeNNHm0jwhRjtOpx/FBZM1PpUT/+IsQogH/+nGF5XpLnBPjypUcac7XDx8Q3zxcpD9zdedz8YIArNSfxhCi0uSQvaNxghZrF+RhedHBuOxaxVK6IB+yd8CyZ0buvpmZH7EEXjDSMCo1MigtrkP69AB4zKQW83vbIPb8xXLn/5t1EvEMwFHhjzVHad4uvxjcgXAFOMoLb1LRraa3LfX13MXyv6wC7Zh89XvT+T+yggBI+WDhYEFm4KVf3yxAGHb052Yi0JFdukbdBAwrJHg9+dyOuBUgQXf+2xfNZsUimkS2NCY4loQDodZ2kTtfw2HayTNgfF4WF+8OmvDEC4HMS58cfJ8EjhmI9hLc+nGkjpSM71rxGTS0VGxHivN7g3QZCvxSgWSOg0VPOrMa2nPgB/TnTaosM3VOAPHUST3WjQt40mY3JuYLFEccKTD5MwrcibfkJH5NriUKf0eoQhEs6Y51ZEOqSso55sj/r4XEbX+2RKpqsrWLyLxZzHxJYm78WW4pFXWlOK+g4eYHAyF81zbBk+OsSEF4mNwmp3QGVPxj6x+v2FUkqugWDlNC1zGHXBL32ADJ/6pG0=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAIXaYfZoCIPsDpKUPnOqtzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxNDA3NDkwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmNv4AwGc2deuTPhlF91PiC5mS1wdYg37TLdFL1gNRVcSRHPoOIUNVRgwbAvtxBAA2aG59CB8qjoeKV21Q0hEiKxzvKLhQk+98tK8xreioswEmQXPPrujjnWyIDrozdDFbjYBFnNOUK7IepZYpXW02HLz6gP6rKau5a/wcp7xiThdcp8Ba8L0cPHfDlgrHx8WLkj+8kGCRUxeEgWYYPc2a6pN5hZeQgRY31jmNtYVAt7JQzFcjGhkP5fEm4aDifaR5hLN9ZfCHE2V16l4Yg45cDbodmQ4bWFL3Uo20/6ADbOE+ASUQ347MyWqeoaDVCkiPxE2NAUom4+AJJVDBNLmqsxKornIMG3XFFtTAeiYVwNqeDZ4fe5+YnZ0NLjSOPm4DYZotykKsZZ+RBJ5Q2pKKc4dnwoMa+890CTPd7ivMmgSYKSdukQTTUsczc0tS4SetaRkSpCcHQhS07xKd+65lZkABdNEPQkN4V+lU3B+9VZaXDebQDrHaMpQa3rVOYs0DG4J420cQ5gSUgjNUiIme2f3nvYSiMAsHvOz798ChCuTK5+f23LEP7rJA9+8yBe/G6P7XCTatwoXYjlEV2U1ZKkAnSSJ1TIQf7yfVQ0bT2By5VpThlzpODeI5p+CMAQMVsyOxBQcsalP2CqfL/wc/3FmJEVnGh9YrramS22WWAcCAwEAAaMyMDAwHQYDVR0OBBYEFLbdC8wNaCuvbyePDaHlRb+pIzsEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAHi/FdNFmeIXieoGwyx3R/aL3J8RPwIZWyAvAme/s/cBiuxrdX4LrndawqfL8BahyPbtxcDLrON3IyY+VbZB4TsTSddzF/BEJlFJPvjjvrHLs3V/K3o7ni/lDOA9/PySUNTZB5roOt3vl7IANIL2ztmpsDWUgXahEVKDpN1i7yukuEC0U5XGG0TVbHGdpR9T6lMnf5t3giAYY/WydAlIglVqVEruijWfj1K2jBJwkgoptlt3nwFJ5FFTDLu78wCbhm/gZuS2A874fO/c2QgGnjUdTv1CpVZU5ED5teH03c/r38/eF36/QVMbXsIhbp5bki7LGceYovTIhi4EWHJItDkCSLxbkBEtKcGL6HiPFWxdd+jKQ19JZzpOxA73BaSO6QijmOcztsPVzzY1iNHgJD+jcCXuTztxgdOShfGW4rS88L6LCkYAiR03iUjO3T5EdaSf4EMCqK3hfjLI/J8UDG6CNu6gc/p8jyPITpkE6mbsiqR8DEoTYIc2Mzap7uSnikgiNEuh06p8gYZjNgn0cRhLVmbUXVPxIIyDVX8+n9aMhdCdou6QHMOciBI2TJ45lgscGuTeHCWdlWz/XeKZRDulU7dnkIb0S6yKLRwWuPsILfN0DtSGay1V2bNrIfZyhxKR04E2VUt5HeI+oO9GCNd6N3i+s0E2rsU6XU+LZUEo"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe ReversingLabs: Detection: 78%
Multi AV Scanner detection for submitted file
Source: Test2.exe Virustotal: Detection: 82% Perma Link
Source: Test2.exe ReversingLabs: Detection: 78%
Yara detected Quasar RAT
Source: Yara match File source: Test2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Test2.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Test2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Test2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: llordiWasHere-55715.portmap.host
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Yara detected Generic Downloader
Source: Yara match File source: Test2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: llordiWasHere-55715.portmap.host replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: llordiWasHere-55715.portmap.host
Source: Test2.exe, 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, Client.exe, 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Test2.exe, Client.exe.0.dr String found in binary or memory: https://api.ipify.org/
Source: Test2.exe, Client.exe.0.dr String found in binary or memory: https://ipwho.is/
Source: Test2.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Test2.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Test2.exe, Client.exe.0.dr String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

E-Banking Fraud
barindex
Yara detected Quasar RAT
Source: Yara match File source: Test2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Test2.exe, type: SAMPLE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: Test2.exe, type: SAMPLE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Test2.exe, type: SAMPLE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: Detects Quasar infostealer Author: ditekshen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: Detects Quasar infostealer Author: ditekshen
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF848F095F2 2_2_00007FF848F095F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF849178A61 2_2_00007FF849178A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF849174D50 2_2_00007FF849174D50
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF849175BE1 2_2_00007FF849175BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF8491793C1 2_2_00007FF8491793C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF84917A7CD 2_2_00007FF84917A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF8491710D1 2_2_00007FF8491710D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF848F295F2 7_2_00007FF848F295F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF849198A61 7_2_00007FF849198A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF849194DC6 7_2_00007FF849194DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF849195BE1 7_2_00007FF849195BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF8491993C1 7_2_00007FF8491993C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF84919A7CD 7_2_00007FF84919A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF8491910D1 7_2_00007FF8491910D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF849198A61 18_2_00007FF849198A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF849195BE1 18_2_00007FF849195BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF8491993C1 18_2_00007FF8491993C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF849194DC6 18_2_00007FF849194DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF84919A7CD 18_2_00007FF84919A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF848F395F2 24_2_00007FF848F395F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF848F394F2 24_2_00007FF848F394F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A8A61 24_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A4DC6 24_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A5BE1 24_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A93C1 24_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491AA7CD 24_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A10D1 24_2_00007FF8491A10D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491A8A61 29_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491A5BE1 29_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491A93C1 29_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491A4DC6 29_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491AA7CD 29_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491A8A61 34_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491A5BE1 34_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491A93C1 34_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491A4DC6 34_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491AA7CD 34_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF848F495F2 39_2_00007FF848F495F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF848F494F2 39_2_00007FF848F494F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B8A61 39_2_00007FF8491B8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B4DC6 39_2_00007FF8491B4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B5BE1 39_2_00007FF8491B5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B93C1 39_2_00007FF8491B93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491BA7CD 39_2_00007FF8491BA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B11F2 39_2_00007FF8491B11F2
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B10D1 39_2_00007FF8491B10D1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491B8A61 44_2_00007FF8491B8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491B5BE1 44_2_00007FF8491B5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491B93C1 44_2_00007FF8491B93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491B4DC6 44_2_00007FF8491B4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491BA7CD 44_2_00007FF8491BA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491A8A61 49_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491A5BE1 49_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491A93C1 49_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491A4DC6 49_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491AA7CD 49_2_00007FF8491AA7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF849178A61 54_2_00007FF849178A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF849174D50 54_2_00007FF849174D50
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF849175BE1 54_2_00007FF849175BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF8491793C1 54_2_00007FF8491793C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF84917A7CD 54_2_00007FF84917A7CD
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491A8A61 59_2_00007FF8491A8A61
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491A5BE1 59_2_00007FF8491A5BE1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491A93C1 59_2_00007FF8491A93C1
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491A4DC6 59_2_00007FF8491A4DC6
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491AA7CD 59_2_00007FF8491AA7CD
Sample file is different than original file name gathered from version info
Source: Test2.exe, 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe
Source: Test2.exe, 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe
Source: Test2.exe Binary or memory string: OriginalFilenameClient.exe. vs Test2.exe
Uses 32bit PE files
Source: Test2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Test2.exe, type: SAMPLE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: Test2.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Test2.exe, type: SAMPLE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: classification engine Classification label: mal100.troj.evad.winEXE@122/27@23/0
Source: C:\Users\user\Desktop\Test2.exe File created: C:\Users\user\AppData\Roaming\SubDir Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\124c5996-13c0-46a2-804a-191042a109db
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File created: C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "
Source: Test2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Test2.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Test2.exe Virustotal: Detection: 82%
Source: Test2.exe ReversingLabs: Detection: 78%
Source: Test2.exe String found in binary or memory: HasSubValue3Conflicting item/add type
Source: C:\Users\user\Desktop\Test2.exe File read: C:\Users\user\Desktop\Test2.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Test2.exe "C:\Users\user\Desktop\Test2.exe"
Source: C:\Users\user\Desktop\Test2.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\chcp.com Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Test2.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\Test2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mrmcorer.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: thumbcache.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Test2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Test2.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Test2.exe Static file information: File size 3266048 > 1048576
Source: Test2.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
Source: Test2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF848F07569 push ebx; iretd 2_2_00007FF848F0756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF848F08163 push ebx; ret 2_2_00007FF848F0816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 2_2_00007FF849172A42 push eax; ret 2_2_00007FF849172BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF848F28163 push ebx; ret 7_2_00007FF848F2816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF848F27569 push ebx; iretd 7_2_00007FF848F2756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 7_2_00007FF849192A42 push eax; ret 7_2_00007FF849192BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 18_2_00007FF849192A42 push eax; ret 18_2_00007FF849192BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF848F38163 push ebx; ret 24_2_00007FF848F3816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF848F37569 push ebx; iretd 24_2_00007FF848F3756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 24_2_00007FF8491A2B90 push eax; ret 24_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 29_2_00007FF8491A2B90 push eax; ret 29_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 34_2_00007FF8491A2B90 push eax; ret 34_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF848F48163 push ebx; ret 39_2_00007FF848F4816A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF848F47569 push ebx; iretd 39_2_00007FF848F4756A
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 39_2_00007FF8491B2A42 push eax; ret 39_2_00007FF8491B2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 44_2_00007FF8491B2A42 push eax; ret 44_2_00007FF8491B2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 49_2_00007FF8491A2B90 push eax; ret 49_2_00007FF8491A2BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 54_2_00007FF849172A42 push eax; ret 54_2_00007FF849172BFC
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Code function: 59_2_00007FF8491A2B90 push eax; ret 59_2_00007FF8491A2BFC
Drops PE files
Source: C:\Users\user\Desktop\Test2.exe File created: C:\Users\user\AppData\Roaming\SubDir\Client.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Test2.exe File opened: C:\Users\user\Desktop\Test2.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe File opened: C:\Users\user\AppData\Roaming\SubDir\Client.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Test2.exe Memory allocated: 10C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Test2.exe Memory allocated: 1AA70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1800000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1B3C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AE40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 12F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AE40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 17D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1B4C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AEE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: A80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1A690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AC80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: D10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1A9C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: C60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1A7F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AB70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: FE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1AB10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Memory allocated: 1B5D0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Test2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Test2.exe TID: 5036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5668 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 7060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 6444 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5792 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 572 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 2352 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 3228 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 4124 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 940 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe TID: 5776 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\Test2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Thread delayed: delay time: 922337203685477
Source: Client.exe, 00000036.00000002.3280560936.000000001B6EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: Client.exe, 0000000D.00000002.2316579347.000000001B950000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000012.00000002.2432299693.000000001C0D0000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000003B.00000002.3387715618.000000001BEE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Client.exe, 0000003B.00000002.3390622435.000000001C153000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Client.exe, 00000002.00000002.2089954592.000000001BD34000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000007.00000002.2201234655.000000001B8EF000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000000D.00000002.2316579347.000000001B950000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000018.00000002.2552531345.000000001B91C000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000001D.00000002.2676671848.000000001B212000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000002.2784995626.000000001B5AD000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000027.00000002.2917004821.000000001B2D2000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 0000002C.00000002.3022842266.000000001B105000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000031.00000002.3145957903.000000001B4AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\Test2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Test2.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Test2.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Shpa9OKN8GrQ.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HKybYN00EBOw.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\O2JjN7gejzZT.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\zXNfNAaZQ18l.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\YWzMsGcZYfSk.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\BcVX8akEUPIc.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2wKqvlgp23d2.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\sqncKNCuACCi.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\r9ftmQJc7N4i.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\VlApCIMOlO5L.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q04w6t2xkN0a.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\SubDir\Client.exe "C:\Users\user\AppData\Roaming\SubDir\Client.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\lPpSfrGjSDT5.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Test2.exe Queries volume information: C:\Users\user\Desktop\Test2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Users\user\AppData\Roaming\SubDir\Client.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SubDir\Client.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Users\user\Desktop\Test2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Quasar RAT
Source: Yara match File source: Test2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Quasar RAT
Source: Yara match File source: Test2.exe, type: SAMPLE
Source: Yara match File source: 0.0.Test2.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2193762959.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000037DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.000000000315E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2421403593.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2193762959.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000036.00000002.3233179129.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3118100690.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034739793.0000000000780000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2305729866.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2768663751.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2653674828.00000000026C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.00000000031FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2034418399.0000000000462000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.3002789942.0000000002829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2084085399.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2892307088.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000002.3354829409.0000000003609000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2535791887.0000000002F19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2060291190.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2062421739.000000001B382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Test2.exe PID: 4196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 1352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 5728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 4832, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 3452, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Client.exe PID: 6164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\SubDir\Client.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581170 Sample: Test2.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 79 llordiWasHere-55715.portmap.host 2->79 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 8 other signatures 2->91 15 Test2.exe 5 2->15         started        signatures3 process4 file5 75 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 15->75 dropped 77 C:\Users\user\AppData\Local\...\Test2.exe.log, CSV 15->77 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->81 19 Client.exe 10 15->19         started        signatures6 process7 file8 67 C:\Users\user\AppData\...\Shpa9OKN8GrQ.bat, DOS 19->67 dropped 93 Antivirus detection for dropped file 19->93 95 Multi AV Scanner detection for dropped file 19->95 97 Machine Learning detection for dropped file 19->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->99 23 cmd.exe 1 19->23         started        signatures9 process10 signatures11 105 Uses ping.exe to sleep 23->105 107 Uses ping.exe to check the status of other devices and networks 23->107 26 Client.exe 9 23->26         started        30 conhost.exe 23->30         started        32 PING.EXE 1 23->32         started        34 chcp.com 1 23->34         started        process12 file13 73 C:\Users\user\AppData\...\HKybYN00EBOw.bat, DOS 26->73 dropped 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->111 36 cmd.exe 1 26->36         started        signatures14 process15 signatures16 101 Uses ping.exe to sleep 36->101 39 Client.exe 9 36->39         started        43 conhost.exe 36->43         started        45 PING.EXE 1 36->45         started        47 chcp.com 1 36->47         started        process17 file18 71 C:\Users\user\AppData\...\O2JjN7gejzZT.bat, DOS 39->71 dropped 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->109 49 cmd.exe 39->49         started        signatures19 process20 signatures21 83 Uses ping.exe to sleep 49->83 52 Client.exe 49->52         started        56 conhost.exe 49->56         started        58 chcp.com 49->58         started        60 PING.EXE 49->60         started        process22 file23 69 C:\Users\user\AppData\...\zXNfNAaZQ18l.bat, DOS 52->69 dropped 103 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->103 62 cmd.exe 52->62         started        signatures24 process25 signatures26 113 Uses ping.exe to sleep 62->113 65 conhost.exe 62->65         started        process27
No contacted IP infos

Contacted Domains

Name IP Active
llordiWasHere-55715.portmap.host unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
llordiWasHere-55715.portmap.host true
  • Avira URL Cloud: malware
 unknown