Edit tour

Windows Analysis Report
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Overview

General Information

Sample name:	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Analysis ID:	1587304
MD5:	c847a23633e81d799fba45bde7cc9951
SHA1:	090035126cabb2fb574175c271097042025202de
SHA256:	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe" MD5: C847A23633E81D799FBA45BDE7CC9951)

schtasks.exe (PID: 2452 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2360 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3040 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4580 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3636 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5620 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1772 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1440 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1476 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6500 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6396 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6176 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6616 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5428 cmdline: schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3136 cmdline: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6152 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3192 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2076 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2316 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6156 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6668 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2448 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 14 /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7160 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5700 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 13 /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5772 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\csrss.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6588 cmdline: schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5280 cmdline: schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3812 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2924 cmdline: schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2800 cmdline: schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5684 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 13 /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5756 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6768 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 14 /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1772 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 6 /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1440 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1476 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 12 /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5532 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6352 cmdline: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"L\":\"$\",\"y\":\"@\",\"o\":\"&\",\"i\":\"#\",\"R\":\"<\",\"B\":\"^\",\"O\":\"_\",\"j\":\"~\",\"Y\":\"!\",\"X\":\"(\",\"m\":\")\",\"E\":\";\",\"b\":\"-\",\"z\":\">\",\"Z\":\".\",\"J\":\",\",\"N\":\" \",\"c\":\"*\",\"S\":\"`\",\"Q\":\"%\",\"k\":\"|\"}", "PCRT": "{\"X\":\"<\",\"w\":\"*\",\"I\":\">\",\"i\":\"|\",\"f\":\",\",\"b\":\"&\",\"S\":\"-\",\"p\":\"#\",\"x\":\"@\",\"=\":\"(\",\"M\":\"`\",\"e\":\";\",\"y\":\" \",\"c\":\"%\",\"D\":\".\",\"Q\":\"$\",\"l\":\")\",\"0\":\"!\",\"j\":\"_\",\"6\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jDGdZPGXBiq4zdh91P6z", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.2062107630.0000000003151000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe PID: 6008	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessId: 6008, TargetFilename: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Windows\Temp\audiodg.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessId: 6008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessId: 6008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KryJcojekJhJNSUQWyfsXjt

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessId: 6008, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: "C:\Program Files (x86)\windowspowershell\Registry.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessId: 6008, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 6 /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /f, CommandLine: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 6 /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe", ParentImage: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ParentProcessId: 6008, ParentProcessName: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessCommandLine: schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 6 /tr "'C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe'" /f, ProcessId: 1772, ProcessName: schtasks.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /f, CommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe", ParentImage: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ParentProcessId: 6008, ParentProcessName: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, ProcessCommandLine: schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /f, ProcessId: 6616, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\Temp\audiodg.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000000.00000002.2062107630.0000000003151000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"L\":\"$\",\"y\":\"@\",\"o\":\"&\",\"i\":\"#\",\"R\":\"<\",\"B\":\"^\",\"O\":\"_\",\"j\":\"~\",\"Y\":\"!\",\"X\":\"(\",\"m\":\")\",\"E\":\";\",\"b\":\"-\",\"z\":\">\",\"Z\":\".\",\"J\":\",\",\"N\":\" \",\"c\":\"*\",\"S\":\"`\",\"Q\":\"%\",\"k\":\"|\"}", "PCRT": "{\"X\":\"<\",\"w\":\"*\",\"I\":\">\",\"i\":\"|\",\"f\":\",\",\"b\":\"&\",\"S\":\"-\",\"p\":\"#\",\"x\":\"@\",\"=\":\"(\",\"M\":\"`\",\"e\":\";\",\"y\":\" \",\"c\":\"%\",\"D\":\".\",\"Q\":\"$\",\"l\":\")\",\"0\":\"!\",\"j\":\"_\",\"6\":\"~\"}", "TAG": "", "MUTEX": "DCR_MUTEX-jDGdZPGXBiq4zdh91P6z", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\WindowsPowerShell\Registry.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	ReversingLabs: Detection: 76%
Source: C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Recovery\csrss.exe	ReversingLabs: Detection: 76%
Source: C:\Users\Default\Music\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\Temp\audiodg.exe	ReversingLabs: Detection: 76%
Source: C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe	ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	ReversingLabs: Detection: 76%
Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Windows\Temp\audiodg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Registry.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Recovery\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected
Source: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Joe Sandbox ML: detected

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Multimedia Platform\24dbde2999530e	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\WindowsPowerShell\e6c9b481da804f	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Defender\fc3ef8bff8a8fa	Jump to behavior

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: a1066647.xsph.ru

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\ServiceProfiles\fc3ef8bff8a8fa	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\bcastdvr\fc3ef8bff8a8fa	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\LiveKernelReports\fc3ef8bff8a8fa	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Code function: 0_2_00007FF848F39A2F

0_2_00007FF848F39A2F

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: audiodg.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmiPrvSE.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Registry.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe1.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe2.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe3.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe4.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: csrss.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: OfficeClickToRun.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe5.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe6.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe7.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KryJcojekJhJNSUQWyfsXjt.exe8.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000002.2065528190.000000001C3B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameli8! vs 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000000.2033030171.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@37/46@2/0

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\a75e7ebeeb664450bf97a1676e5e368cae182978

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Windows\Temp\audiodg.exe

Jump to behavior

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	ReversingLabs: Detection: 76%
Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File read: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe "C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe"
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Music\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 14 /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 13 /tr "'C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\csrss.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 13 /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 14 /tr "'C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Multimedia Platform\24dbde2999530e	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\WindowsPowerShell\e6c9b481da804f	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Directory created: C:\Program Files\Windows Defender\fc3ef8bff8a8fa	Jump to behavior

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Code function: 0_2_00007FF848F39157 push edx; retf	0_2_00007FF848F39158
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Code function: 0_2_00007FF848F32CF8 pushad ; retf	0_2_00007FF848F32D11
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Code function: 0_2_00007FF848F32D08 pushad ; retf	0_2_00007FF848F32D11

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Recovery\csrss.exe

Jump to dropped file

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Users\Default\Music\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Recovery\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Registry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\Temp\audiodg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe

Jump to dropped file

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	File created: C:\Windows\Temp\audiodg.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files (x86)\windowspowershell\Registry.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files (x86)\windowspowershell\Registry.exe"	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe"	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File created: C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /f

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Memory allocated: 17E0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Memory allocated: 1B150000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Window / User API: threadDelayed 1036			Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	Window / User API: threadDelayed 1124			Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe TID: 2000	Thread sleep count: 1036 > 30	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe TID: 2000	Thread sleep count: 1124 > 30	Jump to behavior
Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe TID: 6180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000002.2066178016.000000001C50A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000002.2064405638.000000001C066000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Queries volume information: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062107630.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe PID: 6008, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062107630.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe PID: 6008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	233 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	41 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	41 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	69%	Virustotal		Browse
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	100%	Avira	HEUR/AGEN.1323984
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\Temp\audiodg.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Registry.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\csrss.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Windows\Temp\audiodg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Registry.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Recovery\csrss.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\WindowsPowerShell\Registry.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\csrss.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\Music\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Temp\audiodg.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a1066647.xsph.ru	141.8.192.164	true	false		unknown
pastebin.com	104.20.3.235	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, 00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587304
Start date and time:	2025-01-10 05:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@37/46@2/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 23.1.237.91, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe, PID 6008 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:27:01	Task Scheduler	Run new task: audiodg path: "C:\Windows\Temp\audiodg.exe"
05:27:01	Task Scheduler	Run new task: audiodga path: "C:\Windows\Temp\audiodg.exe"
05:27:01	Task Scheduler	Run new task: csrss path: "C:\Recovery\csrss.exe"
05:27:01	Task Scheduler	Run new task: csrssc path: "C:\Recovery\csrss.exe"
05:27:01	Task Scheduler	Run new task: KryJcojekJhJNSUQWyfsXjt path: "C:\Program Files (x86)\java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe"
05:27:01	Task Scheduler	Run new task: KryJcojekJhJNSUQWyfsXjtK path: "C:\Program Files (x86)\java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe"
05:27:01	Task Scheduler	Run new task: OfficeClickToRun path: "C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe"
05:27:01	Task Scheduler	Run new task: OfficeClickToRunO path: "C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe"
05:27:01	Task Scheduler	Run new task: Registry path: "C:\Program Files (x86)\windowspowershell\Registry.exe"
05:27:01	Task Scheduler	Run new task: RegistryR path: "C:\Program Files (x86)\windowspowershell\Registry.exe"
05:27:01	Task Scheduler	Run new task: WmiPrvSE path: "C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe"
05:27:01	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe"
05:27:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt "C:\Program Files (x86)\java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe"
05:27:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe"
05:27:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files (x86)\windowspowershell\Registry.exe"
05:27:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Recovery\csrss.exe"
05:27:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe"
05:27:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\Temp\audiodg.exe"
05:27:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt "C:\Program Files (x86)\java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe"
05:28:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe"
05:28:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files (x86)\windowspowershell\Registry.exe"
05:28:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Recovery\csrss.exe"
05:28:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OfficeClickToRun "C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe"
05:28:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\Temp\audiodg.exe"
05:28:40	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run KryJcojekJhJNSUQWyfsXjt "C:\Program Files (x86)\java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe"
05:28:48	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe"
05:28:56	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Registry "C:\Program Files (x86)\windowspowershell\Registry.exe"
05:29:05	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run csrss "C:\Recovery\csrss.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	Solara_v3.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	Solara_v3.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	Drivespan.dll	Get hash	malicious	Unknown	Browse	104.20.3.235
	XClient.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	ogVinh0jhq.exe	Get hash	malicious	DCRat	Browse	104.20.4.235
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	172.67.19.24
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	bad.txt	Get hash	malicious	AsyncRAT	Browse	104.20.3.235

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Java\jre-1.8\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	5.429529251398624
Encrypted:	false
SSDEEP:	3:xYBLTBXDg2b7w2DfbDVA0Kms3fS3KAxrMPn:K5hDL7fmzms3fOC
MD5:	98FE65D890D4AECCCB8B5E703522A1AE
SHA1:	6BBAA3CAE2245344E15A414BA4103A4A374EE6C9
SHA-256:	1D34A093719662CCF2404FE7CF92B60DA6A939805225FE110199CD03A5B0702E
SHA-512:	16A8574D217C07D5C88DF0DFE4ADB24EE1B540ECEEC5A9CBFE2B9FFCE276006EAC267AAC4F414E58D3AD67FCAB186222D78EAE5D5B02E6E66DB991AF742EEC7A
Malicious:	false
Preview:	uJVyIagHopepdj53Ga6dBSULWFduDSKEKgV20bvy2NU9ssGcWBK2PJEczJcC6wDWeZe6OCCopHky7Udo8BXCIRzAc2Dr9s2GJ7eTNKNT8fNHj

C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Mozilla Maintenance Service\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	5.654451632442291
Encrypted:	false
SSDEEP:	3:6gUZyMhJ9ZzdmBW4OdwRLBaQklXV5jIiVtiWNET/nukwUNxkYO8CdJW3bLYGwlA:6gUdh1ABW5wtBiV9lHqPukvq8C3W3vYC
MD5:	88DA6A83F9064A23798A260CA31F3789
SHA1:	0FACC33FA4E3624A9D1FAE73749C2ED09F2E20A4
SHA-256:	50E671B011E5AFA6ED5B75177053141FEF53E5495A00DEB9E88089827C30012B
SHA-512:	3DC247DFDBCDBC88F033D863C9887C97F4A8B913374CA23DD428C14B6BAAA688C8FEF68DB5D3B4DFEF028CBC5E293BD55884DD7B64DB96A7722BDA3E931A8E2C
Malicious:	false
Preview:	7CiJ2E1U5GqWg2Ff474gJya5cjFXOGCU6CqDu4e8odsdnXWn8k0RS2BJlnqT9dGzEVaeMBuAd62pF7SFMcYoQuCEBhbHOK8KX3YR72a6z0xVAVDoVlGhFcjUSVcpknvT7rSLiAHUBbyZ6qDpdxvmEaE4UE9lZvWLEeXSD2FUdvgnnJX

C:\Program Files (x86)\WindowsPowerShell\Registry.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WindowsPowerShell\Registry.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\WindowsPowerShell\ee2ad38f3d4382

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (990), with no line terminators
Category:	dropped
Size (bytes):	990
Entropy (8bit):	5.8980366075010755
Encrypted:	false
SSDEEP:	24:Rcq4RxtbUZMhSXpJCW5Om/xHm5hX01fu/gWHC8w9k:iq4R/UZ+8QeK10E/hB
MD5:	F1DED456E92A03D1F4B8D17150719A8B
SHA1:	52E9C336C5311E8A38B9152B8A75B49FD0CA4FB7
SHA-256:	4B63CE956C8E112179694F265F2A4B20E5435068A22986435EC0A80DBE02D089
SHA-512:	BC10593E19A6D7B94F64060BD4613A025AF8ABC198446D2F80BFA6779766BC1A72E2F7FFA15361E4D1E02E7677646EE942510C19851416F69BC1F05E32DA11CB
Malicious:	false
Preview:	88eyRBWSYu9mLAlbZHElKxLmt2YiMjFVEZENVN9wNQ0D1KiuymXJHVyLx2FYmxFzonhw5XGMIRX37HuiUoukL5Otk3adIlJaLAYNnwyafLBz75NpHgE8CfntZyMC7nEgH7s6sh5h0TEA4ZvopvVmhLYpXpyykwd2HerAMR6jkgIsbny9ChXLRc96iDjDtH7D0L3ZsvbXywBADpOu0yvCYRkpfubJs3zdiE2PtYRRF9Xfa832zyM5V4pikO47TSp46hb9x8Abgd7Z4FOg1iU3r4HoZTofeU8xUci2g3F0yuY16Pof9YFu7vNBaxjeTe7MfKFbgV97deE7gPrJpJfFPN0iPhctUlgTwMWwKM8oZHRcrPfKGayJ927RUgM93Qn27vLU348cL1qH6X19CSm3wWU3OEcnA8vJdZf6ELRLbW8HMzV7pM7kntFkaRFycUcMGhoh1550BacaYNrZte8xBKftT4fxGctG3vBoLyFuRGjMRpMNjpF7WpK6B4N7ZHuirVgmLDO4ZNf5kTcnsSOaWvuOlFnQkIVJVBf5JjBgbKiIJPVrckOG3UM5lRBGZ7UR2VjjygeIRs8LNlEVt6yA3OQByjU1i4Ge0QPxqw35FGzLWAsANpXcIUYoFiuPMnkXleV6VRp6C24xYFox0Uo2goVf2lsHCntcfck2pwo5AbaQalPA36Y18r07I0Dtjh3YIbR6ewIEps2FNEERVrOGO2dylntys4WchBI8TSfHxUMQyvtDvwY1TxJQ7cV1CTVuVahM6G7CMHS4pNA03pD5gfIu11A17nEe9c4XNgHpzVpMfPkucf7XQaN0SxVEFGEiCy4NTmmXiYGLz5PlQQYcqrNjODEZLCksQHJqUXb02ky2TCAXityyrm1VkV8PhMMgxX4sviQ3zikG2VPMCr1bOvBoPyG8ZLSpYRE5HSmAc49JBvdOGvMzVuSCWQd7cRdnP4rlRUEuF18Tv2mdV12n9cUn8Bj1yp

C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Defender\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (681), with no line terminators
Category:	dropped
Size (bytes):	681
Entropy (8bit):	5.88253000602819
Encrypted:	false
SSDEEP:	12:ZfL8pix45pQRky1FFkFohjFEApDxsH6YarsaQPfMZiUQpTB2A9YRUjXt0V1gRRn:hx45p7wGQjFpHq6RsDfJTD9YRKtsi/
MD5:	A8061AB0C524895F461447C2DC894E0B
SHA1:	D46502A7313FC0D5B737FACA2A520FBB960B9646
SHA-256:	55B1E3618A26A48CB2F892871C9C4FBA27B91671144EDB625E3A1FF84ADDFB2A
SHA-512:	9BF530CC87FB20026DD78A55EA2457EA5D51784E2DE8AAFF5E025F6FD0B50248DAE1A9D138D0B7278EFC102ECF35632E8413F9F59535A7136B9E5243BDDD3492
Malicious:	false
Preview:	j8tV3CJOtFOZGnvlc6wQpYY11CsfAW7MSmE1QKKd35YQtcTgB2lOZOALj2e0ToNWIBHej3VSwSWuAIHYtMdHusxDl3SXqTJOrBHrVz7HgTcG2QLavFHGKFmaOD2pl8lcIHC8AaD4PWlaPqLUs1mkLDElZrcR6Rfis97uOMaUCM1xeLKi2h7tWBRFDajS7v771CsQsaGfbRh9LQHNh3YYUvMrs2qxmHWQO36bd40babSEdS3xTWuEWjnF0BhzuT2T4QuSTptnD772dHNa83dQWS4pQ1lbWArHi9JMhleomHBZlumsxG11zm6mWEBbDRRCQ0Te8B2WYznPReDfP2oPJ0R6ChzdjCkU08JvbHuwOecA8rU2AfMLnB2aiXbaLZwWOSYSVSEHI2BpXQ7UN7cDzZryGtMEqTkyrFwpSBgsbFCvANCSZGNO6thzlkMlFAbzRM7SeSCLatmuW5y3r4ojFW28i7Dsz5nanNeyPtxGECxNGwcqvT4KV2t5U9uhOUVfFLGJbAn7HieDio1veX6gAdFvdidQ8Q2uqSH4qSOvp6DxXqWpH9C0XzemGUp2gX81puWQh6EMJL0DZRXxMyI9NBX1xeyVmVOR7MHnTGIK40rL8aMy72qsP9nnWfcCItjx6jFNJudGp7EXUL2WR9YupgC8ieQynFCLQ3PZU9pMY

C:\Program Files\Windows Multimedia Platform\24dbde2999530e

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (680), with no line terminators
Category:	dropped
Size (bytes):	680
Entropy (8bit):	5.862168374578988
Encrypted:	false
SSDEEP:	12:2/n/2UlLf6FHeGzunAbXOnKPHKQhQgfTLyD4uFEuJAVgM87yTykAaSj:AnOUl0QAzOWqQWCLOQVTLTykA3
MD5:	77B961EC253C98CDE12469F0C6763F76
SHA1:	ED769BFEE44F27DB36AA81ED90060EF43327E7DC
SHA-256:	8A36CB776A1AB16B7C5139758DC6D5CD56F225EFB64A3E946CB910C9BEE773DC
SHA-512:	937878631C7A5DA68C303C89D40AD6C48AE21A8384BEE751E3A43E4CC4588B2A58E17858ECE38820FE731B57880B2C402D27804B73C2C50319CFEEEC87528F25
Malicious:	false
Preview:	Pfr65YMBMrEBZIk8fBivgT6AeqHhiYm9VAZuF8Uirv9cG0Bfzuq7IiJ5ircOQpcyEEqYs03hqADuUe3oomsyro1x0eLXfGSCSLXCJnw81JQIeYkDyyjn6oHaN2hOofBkrBbJH1eBzt6hXtTc3IirgoFoE6yRFiUVIqac7b67UiyNsjCdjFVg6TED6xFKCN6RZkZrT0fcMlX8025e4Ur9NxYymWgJVv4HlgxHKVKtk2UV6FND1lQrf6ElMkE6TVGarQWTEyTiK7YUdD2gIcRueMlpbM5kQNZOv3nqt38DRrhiiuHIsix0EW6epr122tS6iJikZLxPeNcwpDGrEx1rZiKZ6JBCCGKhZl9YLgsgviW03JzlkJxF2kg99JnQKvMXD5XDDsghEU60LTfxTZb2SEpyE9YB2bV9V8x8vvi1nPBhnpyqo07vTUF8Pj9DTfom96eMfgBh0kOCDIKYLsXCekqB3ztMwehIkZhrKlKHzZ5tFC5GZl2lImIYQdTqxzvVCGbokdNkiPMEp7514mxLm6A8QJarSeTAojq8kRg5XRC2ZDtSibvLBktFGdXbCgSD5MaGQ6QnG1xV3HiNZII0sI8E0k2H3E30986NnnClLIFKwXM95JB4XcVxOWPpEJtB77V4KVkwGhokDyRcY2LuC9chnJ9RXWhCYDMzCRyk

C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\WindowsPowerShell\e6c9b481da804f

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (527), with no line terminators
Category:	dropped
Size (bytes):	527
Entropy (8bit):	5.881830834679637
Encrypted:	false
SSDEEP:	12:rB5mjG8Trnx32V3Kgle3U6Aw5PfI/WpPsx1qOhh:rB5X8T13u6b3U7w5pwVL
MD5:	CAD2F685D199E8891958D3A86C344334
SHA1:	254D516CD655602154C16384A0076CDAAB585EBB
SHA-256:	43B442128ABA8F5E4CEC35614E2A744AC5A68704F7B2241EC4571B929581B7D3
SHA-512:	6B7171E156AAF53DE64C4468DD50F2C7FD39ED4450AC71B801E23B4F3CE15C254DE5FAE09401CA643D6D60FF7917B3CCC76E48984907758D381492DD8E1D99A4
Malicious:	false
Preview:	lKzX2avRLpSmFvSmUDWgQxQkBLRwFiXfqG4yvqRsfAyapoVdXk39ocQy4PVrI9MnRx580d0ovnBP804X0yYeoY0O0F3gUkkfxLI1sWn3tPNBbAzEU80Uks836rIukUUKCfbxsCoeKfuZKzwzPzLVuQ5FMO5BO2TZ5D86iCWRUWJF7jsH4SfuJ8awjWldHmQSLVeH00RNd4BYH0InfxG5XjP6mMWMb2JrF03lFlQDBRRO7BotN78TfU5mGheoeEwkuTSQ6hi4hD4FRA9lhn8d40Mv5RfiGlj6eqeotYwqZEwcazUFh3H1GTq4GhVpB9x5d7klgV1J0RD0DtUF7aANes0L9khMCHoZQ08dOsiMB7AyQ00XMPsl9jbvGZl5xpGtmnjNu11O1yLhrC5JuKAxYDaqYNWzHnYW0RLmRmmUYduLY4EEdbLnpTUjM2yheBGOZyqZ0S2HipY5SPSeISVpburh7lZYxE0WWgvjNoOLjDF94ZR7jUZMqbwpHIcO2dUdzCiwdsQeDKGXorm

C:\Recovery\886983d96e3d3e

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (858), with no line terminators
Category:	dropped
Size (bytes):	858
Entropy (8bit):	5.91489185683446
Encrypted:	false
SSDEEP:	24:oOYd5N2dFpdNip6n/Mv2VOJOjl+qnZPsJH:oR5NWFpa4n/Mv2V7l+qnZkJH
MD5:	59D57A657A98BD9D0E68845CD630263F
SHA1:	6A799005885D5F98CABDB8DAC4F7F632359C71E8
SHA-256:	BCBFCEA1B6CB6F3C091D0F9468BE3BDD5727CC1DF8F2B75CAB66A18C5585335D
SHA-512:	AE740B73D86D31826D78670582349A516B3734055160D8CC455E7F3BB8C1133C1B68701CD5716052ED6DE293E1FB41D82144D90819C62EB21A360EA04DF1F94F
Malicious:	false
Preview:	MmWU68sk4yeFSr8QSsMMW19lT2isq0MQc8xe8eRm2TbzVdOfQ2huwveUmuBEZ93DlNnU3eRxajTCZKQznDcySbdrdd1NdNN2aYNH03lwltTNbc5beLaVhFvKu61amEUNWbmB7I8ucpMiHQPBhasRw2UVmCX4BLJhZG0Az4eVMq312MCdq02MVCbeGRY4vEsQgpJBZPLn5WFF8ccaA3NLS7LXpW3hfjkI8mVMCBDboPQ87Vfny7420g7jewVDVoHVw6HVHQX8zwhDqNZU0QshpsRbpwrQpAFAH5LANJghj5CE942RWBMF5jqEppqUiHTzrg5uBYGrtK8upNcu3a3ny9EhPHVidM9cmNWc8IP85fVul5YbN5aINpBrcXf3CiNhLfHc09wvK5sSoT6Ts4Vhw1O6LpAkmW5XRyjFx6kNJo7S7sDIbMLIMquURKQL9LJy9VBzu0fwTIXH359dm1IaKwKlDOxnpZN8eISlrNXkqYzESmaVKxiHCtnNKZvgD2G34ZnvnYvYditw7FSaxcc11F5veFbRc1hyR5K39oswCKoe91PEHUskaPCyd1Rh6d5lA5eB5YaItpzqbbvmzWJHJ6YC3VZIXK0iOCdEXNJt3j0uaVXCFosjUxcDgbIk8SvjyQcZ7rPmNaOkFnmh8XDtcQOajZh6FiulyR5J38FYZGW3j273ylmlPCHiCBzhJShopmwyrdo9SpTW4U0rcnHd6JWvKXG1JhOGjrO6GJMV7mTksuosKHFgLDsfQAoTWw0uaMxNG4lSbwgU0vDZtYqBcs5f9spGf28KwiJg7blQgwEZgXpf7Ok8FySsRRNXOfxixViRmgcSwafpng9lDKJRSAF7Qa

C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\csrss.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\csrss.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (677), with no line terminators
Category:	dropped
Size (bytes):	677
Entropy (8bit):	5.9079363863772905
Encrypted:	false
SSDEEP:	12:ErIhl53tTq5odMGyZ6oFPGBRKYB29cvsaRpeZHuOjTu37dgKw4Cy1:ErIhl+58MGlo1GrBB2+vrRp6Hnj637dL
MD5:	FA05A75C4CB019D1C64BA5478FCC8EB3
SHA1:	EFEC86334B7F2D5EDC79357E7454DCE77BE442F8
SHA-256:	CB804C2B8563BD878C72C1AC6C7CE1FF73E28A76808E2D9ADB6B091549B34F95
SHA-512:	0F6325E2A742FE90B6532E7E70E0B89C0884A210794E7CB3EB6EF7E667AD00716C6CD037EC893140C9DB324F2362AB5F5262C1FBD228718167F964819E031884
Malicious:	false
Preview:	5tGcFL9SFtlK21fd1D4IgVYAZg43ao0yLWmCXQLSD1AoCguqz87aueJkVGCiQG1a2x9fOdGk1mFoUu73vOEcqaDrNCrQOmB7AjvPhObW1XiHZePkJIxCBYtctRSMwzVOlHov9rVhwskT15SswGHFz86lzSfP6PkBBUgS0ekbxQQTyaky9jZpsQYmKC5qMFlhIjRgZ92SfqSjsnxZrrQWz4Tv64Hyj3PrpsLOJEY9rHJC7y3hOg8ezOrNQgke2Eslbl49bjQnSQorvRxHAjjC5u1aB88md4HnYhkW43GpQVMik9c9sdeTeqqqte8dknKYJBSNqaMGd3wjhS0Bg949axIs03na4mFnKyZirOTRQXzl3HJao77lsK8V2jWwxwL0yJZt3RTRqmtC8hztuMv7od4AzDqH1gdeL8wtsZhXnq5Gb5XUumBlBOMUPY3zkMZJIP19uFBVoYT8ixj4qVWOf2d7wbeTfswaQw7MEYkplp6m4Nwbz9JO0KnQw4MSksz6l3svzWzSvrnz60CipCdfjikFIraKLRE209ABfAmcJ1dJhyT51nniOTXDSnnI6pGemv96zADoaAWsEbiTXeShngngm7t2Xdgdu9gwzXF0j9HN7p81ETucXi0GHdU2RLQ6e27F4weAYb7oYai681xDtDGLIZoWDNiYtLsEr

C:\Users\Default\Music\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\Music\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\Music\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (312), with no line terminators
Category:	dropped
Size (bytes):	312
Entropy (8bit):	5.846672251408959
Encrypted:	false
SSDEEP:	6:quxeyuEh+0ruAvol0MCb9cCnTXWVLkVPwfpBdIj/7vGGKXubgXPTLAE:q+eyuC+ZAwtecCnTXWVLkNw1IL7vtKX1
MD5:	52BBC743712DF62D1792DBB323833327
SHA1:	EB4541EBBDAAE78CC2B3322D8B4EA2880B19784B
SHA-256:	B7F9F77252A331524DC5DEA6C7552CC6F593559134561CDDAE2048CE5893EB23
SHA-512:	25C64BF881296F936F2030C32AC65CFC7F9B93A8513BCAFBC69882196656D77861BBDB9C9CD748AD912F36B9AE3F2EB97660E1C40C6A8982CF5C8FB23617904A
Malicious:	false
Preview:	3bQLrWTmjjT5Q0ppAmT8zRjAy5TgLkFb95nLGqwoMTpfTZLcF6kFHKcm2QWvDwa8e26UMeiUzpvglDrYu1bOAAUycBT0TAlZ2rBad1PkXQPcY6Byi8BLUM8diH1LKsByDWn3CR52m00uu1Zg9fSV9aEqth2W9EapOaYCSHvRCIjdVNtqrVLpZqznS7KfZj3haLfTdXN2tBS00kUfxLon2uQilvuU7Q2dOBDKsZNUIT5YX8wrnprN4Qpp46ssn34dJylzhJxY8Ufjz1Km8CqSjoi8WXPvrfqOYcPjX7Kd1TPkuG0DvFtkMm4e

C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (597), with no line terminators
Category:	dropped
Size (bytes):	597
Entropy (8bit):	5.879227777115892
Encrypted:	false
SSDEEP:	12:doe7Dsq7/yHnITqBwvxJKJppmtHcPRVyHm21poiGPB1AOJXK:qeEq7/oITaCx4JpsJcT+p1pahhK
MD5:	EE8AE6B05237602A2878854B96618663
SHA1:	F50EE75DD030A81E8CFBBDBF0A555C1B2BBFDCA5
SHA-256:	60D9D313C2A7DB59F72EB03C95FAFD4389270879E855A9656FC9BC96988675B0
SHA-512:	ADC84BBC657FBCD47002C4D7BE7191E550C9CDB45809F5E89FCF5845F505E960B4E3D99079AB76AE6117A26E198CFD738E666309E0FB962B737A3DCFA0C05601
Malicious:	false
Preview:	Msq4X3aYMNbwv7fHI7K2j5NrdOG5eO9AKk6r7bpUI9g8RS65bLqw2DBRf9aJxe48NamKAxJqS0tjYPZLSKeSiMHHjpM8BggoFhu0qv4nC9eBTb2QjP0nAlZATflVlKpwUFe1ejehP0QjsGxIx5Zwp3oeIthLKjB1TsrO7BvAuTXJU0SNrcipv3Gbb9tuBTWpyZP9ZjLwJYCVgeJRbUdrBVFalQw7SB9a6rU5lSyIRvgX0v460bSqzoocTyXIwOeIZlYyJOqJgVaPzsj0VzG0sSlSD1lw4pVCRX7PXGxmvJJdOYnlPhx6HnaGAGuSm3O19X7cuUdOCeEiIHDpOAhW1Z5o70PQVf925Se0aL05Ej4mj183CFDmW1AkcTf4EM2hfMn0nNPDKmSReSFF2WOQbXfDR3YGp501qWHWOHQz0ActjsFJOaCs8mFHqjitzIXOwakIKs0uGYab5weixO1P3H3ER9ppjg9rmN7IH78fjRmjMoM4F95kQHUphg0LDLLjYsyryVa0PVqleT2nxujjkZae2SklGxcYGDKdzeGtjFV5btKOnNYSlm89RTygvztb3RfbIYxSo0AfDfDJHW82Z

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe.log

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\OneDrive\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\OneDrive\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (370), with no line terminators
Category:	dropped
Size (bytes):	370
Entropy (8bit):	5.83777531069147
Encrypted:	false
SSDEEP:	6:QXk7cOdtkdpBI7bfDAgDUtDbYNueiUy1zultCjPhcqV4fQDAvSm3YTqBT75mwRoD:QXkZcG71uY8Vhz+4KnMm3Y+BT76ltCxS
MD5:	4E3D32E3B1F313EA42564851A8C77BBB
SHA1:	73F86EE37E7620ABD90683AB2FC8B229BB7E14B8
SHA-256:	61A3594FD73A8924A5F3192060BC84FC1977907D9AE5CCAB6A192A6ABDF11C90
SHA-512:	C3EEF77258C239EC8FA851E94E9C3F7E84A022E2D21467555FBE8D62732292D1267BD7006B9E86774E5108215871ED7D005A4B9ECF086EA343F3A7F6CADA7401
Malicious:	false
Preview:	VcNWZS2udBTlrlbggziYIF0DOnSiypoIW2rdRoS8KGAYns2sTP8SEgNPmKHw9T5xWLOz37P2gkOCFbZgvkPjrWE0oc1Hgg80LMCcdCyV9GvdSLJKulAZEVG9HYKbFIVAlX12Y7Dsv3kklkidSqW5gjvzGCVE1WP1uu24TRwxhRnLvgYg0rJZvaeCmCwVl81Znsz0snJA4jXO5kDjoyOKM0GUQzSRfaLjaOhDqiyMiIeLCPGB9MrxuqMwmej2V1feYyyrC93G9CmEW4SBtQSStXytCuaM860qnAxOaY89TlxsEIarMhIFjNuA9EpSjrHDL6aVHDkURT9HjGp3Ut9bxvGaPwOWtqZmeugIrEkI7xxPOna3Zv

C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\LiveKernelReports\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\LiveKernelReports\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (433), with no line terminators
Category:	dropped
Size (bytes):	433
Entropy (8bit):	5.819391086179873
Encrypted:	false
SSDEEP:	12:wygaiNfa915o3NOhmcagxFBfktF68f0kq3:dB+fmC3iragxTkjY
MD5:	831C08CBB5D027D4ECBC1FD29D433D27
SHA1:	EA6A19B7AB3586B565D3B407E5E1B76E398A01B6
SHA-256:	603D9634770E2CC2A5D17C9A99ADD711345DB2D41930E1E3762BA991095F68E4
SHA-512:	577A28A8CCBE33FA19C6B342AD9627504AD9BEE2F11CD4EDC48DD93EB29099A7880E2D463D431468227084D512D44CC6C56CDEB9BEAC6696CE85FC441BA35D45
Malicious:	false
Preview:	mrL4kxRxo3Mx4zcasPh7EwCVnIJhPzrsLEjJ6IqyCsYyCB2cvGOK2uW0p0QbouizLem0QTekis5VXNSlPrvJkhzbrteG1OKSKjmiZBLbmomJzBcbipM68YOooKIgzYtUhnKyktLOfUg64pmqRCiLCOTvU84O2pmO5SmL0n0yd7ao2St8icPw0hRTTZdmz7W0rSBmDa0nMtsExp3CO5qaazYXAS2aJN8glk6jQG4IllkGzMfofbY3Q5Z24nmuiZd8uLdMsUvHAiyyPRixwN4szFPpKEoneKjLHlVotS5LpQ3sHlmmFy7UfvIp5xCopIn08mrn54EeStCjLhijbChpMPqVdqs5QRghmCue39qLtdBvsjdXPcMnk8os6VKPLJNBNf7JxDpcVW5sN5n3MUpxE36nYBiizb9kQAiNlUkLwuROC6eBs

C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (476), with no line terminators
Category:	dropped
Size (bytes):	476
Entropy (8bit):	5.852733063250957
Encrypted:	false
SSDEEP:	12:RATtlSNYCJZp1+zxRjzU0R5n4SsJWWrvOE86rfKMtWv0UV6UL9:+tlEj1+zT7r4ZvrFdrfKR3h9
MD5:	9C306DC62F23B5BAD68971E1DB56875B
SHA1:	9628904F181FC1220D61C061C6B668677C8D4C7F
SHA-256:	F52C7F4149B721298285A8A27475FD32402370BE17DB4D3428F1DCD089900F89
SHA-512:	B71161134561DB11D9361B6027A3E8F1F5B831ED8BE6BCB3897D5617942FB6E7AFFA13C4110F5FAE258A8220BD3797B4A52A7E60BF31DD3F98ACCC4F8CE7788B
Malicious:	false
Preview:	nQKXmlPB2NaPZ8NQhM9lvGCviuSueAjzmw6e5daK0ss8MoFRZMmrCErhNYy1Seg1nlnnBtUDvzvDXDj4pAVRX1whEYQgoi1VL1VlAcQp2i5NToKJz4MRJOdvyFimcxZN7Z1gs83NupZz6iOZOHrtVjM7Xjw53nNFJsQ3xoa1B9hdzozQ0JYVGp1YM3IIL7UHcTpNSUmkqzsWCtHsufEtP29d01r3fSpDpaAf9l7ghxoQ7eWdwaYp3k1kUMXansFYKormsltIiiMbNsfVfNHF39KEiaLwOg2ysQGTxuvKqPHUXaXlqB5al9eKdnDSa64BqXt7mMiuc6Yn20qICjGMlbNsv6zKqcutUGnAqZ9dcK8ol1Sn65P1zsaOJAMqWYE9MoTvMqbnkmtadiH3nMNvM23mqZ0qNSHEG8c6igaQdmRN89ul3SCKKTwTvqFxzvaRfpTfGLVHv7RklqoqoPx4P64xLJL1

C:\Windows\Temp\42af1c969fbb7b

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (399), with no line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.8295918074258894
Encrypted:	false
SSDEEP:	6:w9OJfwCtHCXJH2MdK1cKrcb1JTxHMt3SusTJcTykROLiUPyrCdSc3PuOpg:Vf1HCZNK1c2chvHM4usKJoLUJGWAg
MD5:	748E52B979EC55B0E6D2B1709CA81E37
SHA1:	AE9D3A6923CB8156665AB4B54EB7B9B93C6CB504
SHA-256:	3112BEDE4DADBD807EF6385DACE3BBA4969E18A8FF4721315E6E84E42F4FE928
SHA-512:	F1D52A3CE4CF72FC5F0A0ECE3DEDD2D8755ADFDF6532AEB46A798039CDB5D4C17EC734546E2CA4C56D8ABDFFD6A4EEE7A6EA6E6166D97F66096B4FBD7DA50BD2
Malicious:	false
Preview:	BONjddW9Vo6Peo90KayxEDmErbMXiBLo6rItRttq1Tm0R2ElfofXQIT7lI1CR8bUdSSwgQiarH5ubvwzWk23fxYyXKHI2rY22SW9jSFOGFqIMjg0VBprGiyq3eYWJaiAsD2IZxQEfnxZGPmynRw0BrwUdqFF3sFphqZJqXaivlMcuYjn1ks1nr8BQipsrLLwiH2a0dHP0OEafTjEHcNS9NCzrY2Iss0jZZ4ngIxYcdBZmif69llP82wUFCsbk9hHXeAFZ6h8oy0gMnMJ25JHHklhnjidaVxd63BIiahCDmlJCPIb0jjpzaAx3cczYEiTBWkSlEkcYGDe9cfXbGn0wInf2NOF8ro9ESHppzzv8GRtWgya7FYRasg3tEZYzfeqbEZqV0rlQ21p14J

C:\Windows\Temp\audiodg.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\audiodg.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	846848
Entropy (8bit):	6.074943837486376
Encrypted:	false
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
MD5:	C847A23633E81D799FBA45BDE7CC9951
SHA1:	090035126CABB2FB574175C271097042025202DE
SHA-256:	18E568EB4CA89F8A3E4F04B1EB15472B55B4548F4D15367377A7B942C259319C
SHA-512:	6B057E15133FE58BC1D105A90B761D2F3558E8A8D3A901D9892905DD75F6BE569A4BFF4A02D919623305C4D524D96B7F902EF3DDED6782CC237B1A47807F34BB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......^.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\bcastdvr\fc3ef8bff8a8fa

Download File

Process:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File Type:	ASCII text, with very long lines (864), with no line terminators
Category:	dropped
Size (bytes):	864
Entropy (8bit):	5.8968769454184855
Encrypted:	false
SSDEEP:	24:IqFsxTYTIQgBagK4RtQl/IvHcbYH/2qQ+3mcX8:LixMHgsIEbYH/2q1Wa8
MD5:	F76A704D4BB411921F994C4F1D5A573F
SHA1:	24B268FCBA14E7CA17702843BF8BCCED0F0ECE0C
SHA-256:	ECB7E2BB3C778C6E5D445B08E21C534C54508754AB608A1475B28B0101D6F1AC
SHA-512:	5EFCADC574194B1B9D8BE9EDCA02282909A1A973727DD6CA2A28BB92655AA2980F9AAE2C636A3F418087C55EAF301208C67624E774447FC763BF4BC8D5D5E836
Malicious:	false
Preview:	6wrbudv9Qdo9mkY0nwkDmQuN5aTx2Z8fZd4G6hs029uFNyC6wksHhAOqBdfUK7G1fJkIqR4GEtLnfpAHXWBSr17ZOOFcBXq423kEO4QeplCxylKWdY7x6yKnLL3cMbEqDRvmE62cGhmFyJknDs9ma28Dt62DAyRNhWuhziRgferZLFzBkPZdcbQKTr3IDzcSPYicYDyebcG5Li1oH1cuYyvFFkOIpJdqCYJxhWmgb4CAUU8uzOBMWr3bncXyzpzS9a3xZEHvO6SevvuuleSaIQUUfsJE9yrvEuB4bLUvHQ8aYYp2smMVXZKsGiRr5CvZOgZBu0SaJhS1S35GCRWWlWYpkSx33nzFeiL18oI2TwM0GSZMmLooqZy2IubbCZgfrNXurDHYIeCzKijS3lQs8LYEuTtOMrz4QqI24oeiDQfMW8rkKJhbJygfzTAYU2LboIjdZqXOGrosqLrvlIEDJYubJmDkoGOLFEiOZOKevTUbKyznlOxLyIRPXHUwmxj9ddnlndVX8jR0DTRVxa8aTCW6wS0R4Y18tU8qLN9I2ZNO0aLEz88MyJqbGqzUnEdjsTHtUkKka0h3yHFWHvb5ZpKjohkeYpfy6nghTcuPyYv7mxm9kdN1mhKDIiExApMvUs6LkiCpBMGA3M605k45cnMYcdYuX6OIMAn30bYCai0ZbKJ6lO2ZvQTqgisHJRRE77x3jCAdM1f3xx7SUcJJEzX5q6XStR2IQwbdWPXiNYN3vZ3skZxqIIAIk1Mnosu58WnBVd5EFl5pldJRCprTdM9IvS3eCt3fnS4Zv2XGetlhMUhGs5k9AbbwWfPDkbBVrZCTjufKRkzukc5bvwwHI3eM0ICQmUgC

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.074943837486376
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File size:	846'848 bytes
MD5:	c847a23633e81d799fba45bde7cc9951
SHA1:	090035126cabb2fb574175c271097042025202de
SHA256:	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
SHA512:	6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb
SSDEEP:	12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz
TLSH:	0505F801BE44CE51F0191233C2EF454847B4AD516AEAEB1B7DBA376E59123AB3C0D9CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6......^.... ........@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cd15e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd110	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb164	0xcb200	eac07310cc9c3c3149359cd3701f5294	False	0.5063942307692307	data	6.114881113620842	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xce000	0x2fdf	0x3000	4f8b5452697b28c56801fc7675a91934	False	0.3099772135416667	data	3.2409602076007977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd2000	0x218	0x400	a0eb98cfbb72fea7cf0984384d7b3371	False	0.263671875	data	1.8371269699553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	4f5e72608b9753d88dc8259a8859568d	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd2058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 05:27:08.535607100 CET	64938	53	192.168.2.5	1.1.1.1
Jan 10, 2025 05:27:08.543229103 CET	53	64938	1.1.1.1	192.168.2.5
Jan 10, 2025 05:27:09.593446016 CET	54911	53	192.168.2.5	1.1.1.1
Jan 10, 2025 05:27:09.684272051 CET	53	54911	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 05:27:08.535607100 CET	192.168.2.5	1.1.1.1	0xae72	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:09.593446016 CET	192.168.2.5	1.1.1.1	0xe5f0	Standard query (0)	a1066647.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 05:27:08.543229103 CET	1.1.1.1	192.168.2.5	0xae72	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:08.543229103 CET	1.1.1.1	192.168.2.5	0xae72	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:08.543229103 CET	1.1.1.1	192.168.2.5	0xae72	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Jan 10, 2025 05:27:09.684272051 CET	1.1.1.1	192.168.2.5	0xe5f0	No error (0)	a1066647.xsph.ru	141.8.192.164	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:26:58
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe"
Imagebase:	0xee0000
File size:	846'848 bytes
MD5 hash:	C847A23633E81D799FBA45BDE7CC9951
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2062107630.000000000363A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2062107630.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	23:26:59
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjtK" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\mozilla maintenance service\KryJcojekJhJNSUQWyfsXjt.exe'" /f
Imagebase:	0x7ff710ad0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	23:27:00
Start date:	09/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "KryJcojekJhJNSUQWyfsXjt" /sc ONLOGON /tr "'C:\Windows\bcastdvr\KryJcojekJhJNSUQWyfsXjt.exe'" /rl HIGHEST /f
Imagebase:	0x7ff710ad0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe

C:\Program Files (x86)\Java\jre-1.8\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

C:\Program Files (x86)\Java\jre-1.8\fc3ef8bff8a8fa

C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe

C:\Program Files (x86)\Mozilla Maintenance Service\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

C:\Program Files (x86)\Mozilla Maintenance Service\fc3ef8bff8a8fa

C:\Program Files (x86)\WindowsPowerShell\Registry.exe

C:\Program Files (x86)\WindowsPowerShell\Registry.exe:Zone.Identifier

C:\Program Files (x86)\WindowsPowerShell\ee2ad38f3d4382

C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe

C:\Program Files\Windows Defender\KryJcojekJhJNSUQWyfsXjt.exe:Zone.Identifier

C:\Program Files\Windows Defender\fc3ef8bff8a8fa

C:\Program Files\Windows Multimedia Platform\24dbde2999530e

C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe

C:\Program Files\Windows Multimedia Platform\WmiPrvSE.exe:Zone.Identifier

C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe

C:\Program Files\WindowsPowerShell\OfficeClickToRun.exe:Zone.Identifier

Windows Analysis Report
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe