Windows Analysis Report
gcqPqvNl2A.exe

Overview

General Information

Sample name: gcqPqvNl2A.exe
renamed because original name is a hash value
Original sample name: 85e3730c525e975f9c00e6656377a4ea2a687fefb165e4e2f8d75b6ef31a87c2.exe
Analysis ID: 1614137
MD5: f1a012ada12a8788e4959a58b51b62a3
SHA1: 9d367aa9814b3a63538cf39f22b2cd8505491c67
SHA256: 85e3730c525e975f9c00e6656377a4ea2a687fefb165e4e2f8d75b6ef31a87c2
Tags: exefavor-ydns-euuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Found malware configuration
Source: 0000000D.00000002.2357238868.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["favor.ydns.eu"], "Port": 2627, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\mpclient.dll ReversingLabs: Detection: 21%
Source: C:\Users\user\SystemRootDoc\mpclient.dll ReversingLabs: Detection: 21%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Sample uses string decryption to hide its real strings
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: favor.ydns.eu
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: 2627
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: <123456789>
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: <Xwormmm>
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: 77777
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp String decryptor: USB.exe
Source: gcqPqvNl2A.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: MpSvc.pdbGCTL source: archvio4.exe, 00000003.00000003.2210814588.000002D2E99B1000.00000004.00000020.00020000.00000000.sdmp, MpSvc.dll.0.dr, MpSvc.dll.3.dr
Source: Binary string: MpOAV.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll.3.dr
Source: Binary string: MpAzSubmit.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2284823912.000002534D18A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2284614197.000002534D027000.00000004.00000020.00020000.00000000.sdmp, MpAzSubmit.dll.0.dr
Source: Binary string: MpRTP.pdb source: archvio4.exe, 00000003.00000003.2209598672.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpRTP.pdbGCTL source: archvio4.exe, 00000003.00000003.2209598672.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll.3.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2208024913.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetoursCopyAccelerator.dll.3.dr, MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: endpointdlp.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196991521.000002534BC26000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2197479038.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2205245454.0000029251AC5000.00000004.00000020.00020000.00000000.sdmp, endpointdlp.dll.0.dr
Source: Binary string: endpointdlp.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196991521.000002534BC26000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2197479038.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2205245454.0000029251AC5000.00000004.00000020.00020000.00000000.sdmp, endpointdlp.dll.0.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223844316.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 00000003.00000000.2203269494.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 0000000B.00000002.2352412759.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 0000000B.00000000.2321338266.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000000.2401862932.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000002.2431245500.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe.3.dr, archvio4.exe.0.dr
Source: Binary string: MsMpCom.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211075129.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207808922.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll.0.dr
Source: Binary string: MpProvider.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2209364806.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpProvider.dll.0.dr
Source: Binary string: MpAzSubmit.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2284823912.000002534D18A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2284614197.000002534D027000.00000004.00000020.00020000.00000000.sdmp, MpAzSubmit.dll.0.dr
Source: Binary string: MpDetours.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207808922.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll.0.dr
Source: Binary string: ProtectionManagement.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211647151.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, ProtectionManagement.dll.0.dr
Source: Binary string: MpCommu.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr
Source: Binary string: AMMonitoringProvider.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196068521.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2204558061.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, AMMonitoringProvider.dll.3.dr
Source: Binary string: MpProvider.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2209364806.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpProvider.dll.0.dr
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2208024913.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetoursCopyAccelerator.dll.3.dr, MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: MpCommu.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CD139000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: ProtectionManagement.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211647151.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, ProtectionManagement.dll.0.dr
Source: Binary string: MpDlpCmd.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223844316.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 00000003.00000000.2203269494.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 0000000B.00000002.2352412759.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 0000000B.00000000.2321338266.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000000.2401862932.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000002.2431245500.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe.3.dr, archvio4.exe.0.dr
Source: Binary string: AMMonitoringProvider.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196068521.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2204558061.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, AMMonitoringProvider.dll.3.dr
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CD139000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: MsMpCom.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211075129.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpSvc.pdb source: archvio4.exe, 00000003.00000003.2210814588.000002D2E99B1000.00000004.00000020.00020000.00000000.sdmp, MpSvc.dll.0.dr, MpSvc.dll.3.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rdi 3_2_00007FFD946D56E0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then sub rsp, 28h 3_2_00007FFD946DF1B0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push r14 3_2_00007FFD946D5210
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rdi 3_2_00007FFD945C5210
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rdi 3_2_00007FFD945C5210
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rsi 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then sub rsp, 28h 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then sub rsp, 28h 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rsi 3_2_00007FFD945C4F50
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945226D8
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 4x nop then push rbx 3_2_00007FFD945226D8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 11_2_00007FFD946D56E0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 11_2_00007FFD946DF1B0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push r14 11_2_00007FFD946D5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 11_2_00007FFD945C5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 11_2_00007FFD945C5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rsi 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rsi 11_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945226D8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 11_2_00007FFD945226D8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 18_2_00007FFD946D56E0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 18_2_00007FFD946DF1B0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push r14 18_2_00007FFD946D5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 18_2_00007FFD945C5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rdi 18_2_00007FFD945C5210
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rsi 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then sub rsp, 28h 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rsi 18_2_00007FFD945C4F50
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945226D8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 4x nop then push rbx 18_2_00007FFD945226D8

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:61082 -> 178.215.224.234:2627
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:61095 -> 178.215.224.234:2627
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: favor.ydns.eu
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49741 -> 178.215.224.234:2627
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:61032 -> 162.159.36.2:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: favor.ydns.eu
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: gcqPqvNl2A.exe String found in binary or memory: http://narwhaljs.org)
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AddInProcess32.exe, 00000004.00000002.4636292158.0000000003081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: gcqPqvNl2A.exe String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: gcqPqvNl2A.exe, ThirdPartyNotices.txt.0.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: gcqPqvNl2A.exe String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll.3.dr String found in binary or memory: http://www.validationtest.contoso.com/test%ld.htmlMpOAV_ForceDeepScan
Source: archvio4.exe, archvio4.exe, 00000012.00000002.2431545236.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, archvio4.exe, 00000012.00000002.2431482911.00007FFD946E3000.00000004.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: MpSvc.dll.0.dr, MpSvc.dll.3.dr String found in binary or memory: https://aka.ms/NpBhFeedbackunknown
Source: MpSvc.dll.0.dr, MpSvc.dll.3.dr String found in binary or memory: https://aka.ms/NpFeedback
Source: archvio4.exe, archvio4.exe, 00000012.00000002.2431545236.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, archvio4.exe, 00000012.00000002.2431482911.00007FFD946E3000.00000004.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: archvio4.exe String found in binary or memory: https://aka.ms/nativeaot-c
Source: archvio4.exe, 00000012.00000002.2431482911.00007FFD946E3000.00000004.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: mpclient.dll.0.dr String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: gcqPqvNl2A.exe, 00000000.00000003.2284954092.000002534D2EE000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285309988.000002534D5F5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2224136670.00007FFD94768000.00000002.00000001.01000000.00000005.sdmp, archvio4.exe, 0000000B.00000002.2352761151.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, archvio4.exe, 00000012.00000002.2431545236.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: gcqPqvNl2A.exe String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: gcqPqvNl2A.exe String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: gcqPqvNl2A.exe String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#count
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: gcqPqvNl2A.exe String found in binary or memory: https://console.spec.whatwg.org/#table
Source: gcqPqvNl2A.exe String found in binary or memory: https://crbug.com/v8/7848
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://crbug.com/v8/8520
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: gcqPqvNl2A.exe String found in binary or memory: https://encoding.spec.whatwg.org
Source: gcqPqvNl2A.exe String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: gcqPqvNl2A.exe String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: gcqPqvNl2A.exe String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: gcqPqvNl2A.exe String found in binary or memory: https://fetch.spec.whatwg.org/
Source: gcqPqvNl2A.exe String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: ThirdPartyNotices.txt.0.dr String found in binary or memory: https://github.com/Microsoft/cpprestsdk.
Source: ThirdPartyNotices.txt.0.dr String found in binary or memory: https://github.com/Microsoft/cpprestsdk/blob/master/license.txt)
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/WICG/scheduling-apis
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/WebAssembly/esm-integration/issues/42
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/addaleax/eventemitter-asyncresource
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/antirez/linenoise
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/chalk/ansi-regex/blob/HEAD/index.js
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/chalk/supports-color
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/startSES.js
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/isaacs/color-support.
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/mafintosh/pump
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: gcqPqvNl2A.exe, 00000000.00000003.2197423665.0000003C74B41000.00000004.00001000.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196408984.0000025340C43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/blob/1a96d83a223ff9f05f7d942fb84440d323f7b596/lib/internal/bootstrap/
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/issues/31074
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/34532
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/39707
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/issues/39758
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: gcqPqvNl2A.exe, 00000000.00000003.2197423665.0000003C74B41000.00000004.00001000.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196408984.0000025340C43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/33229
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/33515.
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/34385
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/nodejs/node/pull/38248
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/38433#issuecomment-828426932
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/nodejs/node/pull/38614)
Source: gcqPqvNl2A.exe, 00000000.00000003.2284954092.000002534D2EE000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285309988.000002534D5F5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2224136670.00007FFD94768000.00000002.00000001.01000000.00000005.sdmp, archvio4.exe, 0000000B.00000002.2352761151.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, archvio4.exe, 00000012.00000002.2431545236.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr String found in binary or memory: https://github.com/oxyplot/oxyplot.git
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/tc39/ecma262/blob/HEAD/LICENSE.md
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tc39/proposal-iterator-helpers/issues/169
Source: gcqPqvNl2A.exe String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: gcqPqvNl2A.exe, 00000000.00000003.2197423665.0000003C74B41000.00000004.00001000.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196408984.0000025340C43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/vercel/pkg/issues/1589
Source: gcqPqvNl2A.exe String found in binary or memory: https://goo.gl/t5IS6M).
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#Replaceable
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: gcqPqvNl2A.exe String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: gcqPqvNl2A.exe String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: gcqPqvNl2A.exe String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: gcqPqvNl2A.exe String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: gcqPqvNl2A.exe String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: gcqPqvNl2A.exe String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: gcqPqvNl2A.exe String found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://jimmy.warting.se/opensource
Source: gcqPqvNl2A.exe String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: gcqPqvNl2A.exe String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: gcqPqvNl2A.exe String found in binary or memory: https://no-color.org/
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://nodejs.org/
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nodejs.org/api/fs.html
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0-headers.tar.gz
Source: gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gz
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://nodejs.org/download/release/v16.16.0/node-v16.16.0.tar.gzhttps://nodejs.org/download/release
Source: gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nodejs.org/download/release/v16.16.0/win-x64/node.lib
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://sourcemaps.info/spec.html
Source: gcqPqvNl2A.exe String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tc39.es/proposal-iterator-helpers/#sec-iteratorprototype.some
Source: gcqPqvNl2A.exe String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: gcqPqvNl2A.exe String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: gcqPqvNl2A.exe String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: gcqPqvNl2A.exe String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc6455#section-1.3
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: gcqPqvNl2A.exe String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#url
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: gcqPqvNl2A.exe String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: gcqPqvNl2A.exe String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: gcqPqvNl2A.exe String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
Source: gcqPqvNl2A.exe String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: gcqPqvNl2A.exe String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2175018298.000002534249C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.2356112859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EF5CE4: SetLastError,DeviceIoControl,GetLastError, 3_2_00007FF7C1EF5CE4
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EF369C 3_2_00007FF7C1EF369C
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EF93F8 3_2_00007FF7C1EF93F8
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94551FB0 3_2_00007FFD94551FB0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD945295B4 3_2_00007FFD945295B4
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94553560 3_2_00007FFD94553560
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD945316C0 3_2_00007FFD945316C0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94541840 3_2_00007FFD94541840
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD945412C1 3_2_00007FFD945412C1
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94539270 3_2_00007FFD94539270
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94541346 3_2_00007FFD94541346
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD945553C0 3_2_00007FFD945553C0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94529410 3_2_00007FFD94529410
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94537CA0 3_2_00007FFD94537CA0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94547C90 3_2_00007FFD94547C90
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD9455EE00 3_2_00007FFD9455EE00
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD9453FE90 3_2_00007FFD9453FE90
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD945FDF60 3_2_00007FFD945FDF60
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94608FE0 3_2_00007FFD94608FE0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94533980 3_2_00007FFD94533980
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD9452BAC0 3_2_00007FFD9452BAC0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94547AB0 3_2_00007FFD94547AB0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94527BC0 3_2_00007FFD94527BC0
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94532C30 3_2_00007FFD94532C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_018D0EC0 4_2_018D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_018DD4DC 4_2_018DD4DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06754098 4_2_06754098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_067521B8 4_2_067521B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4_2_06752F08 4_2_06752F08
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FF69BF2369C 11_2_00007FF69BF2369C
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FF69BF293F8 11_2_00007FF69BF293F8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94551FB0 11_2_00007FFD94551FB0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD945295B4 11_2_00007FFD945295B4
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94553560 11_2_00007FFD94553560
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD945316C0 11_2_00007FFD945316C0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94541840 11_2_00007FFD94541840
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD945412C1 11_2_00007FFD945412C1
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94539270 11_2_00007FFD94539270
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94541346 11_2_00007FFD94541346
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD945553C0 11_2_00007FFD945553C0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94529410 11_2_00007FFD94529410
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94537CA0 11_2_00007FFD94537CA0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94547C90 11_2_00007FFD94547C90
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD9455EE00 11_2_00007FFD9455EE00
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD9453FE90 11_2_00007FFD9453FE90
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD945FDF60 11_2_00007FFD945FDF60
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94608FE0 11_2_00007FFD94608FE0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94533980 11_2_00007FFD94533980
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD9452BAC0 11_2_00007FFD9452BAC0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94547AB0 11_2_00007FFD94547AB0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94527BC0 11_2_00007FFD94527BC0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94532C30 11_2_00007FFD94532C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 13_2_00C10EC0 13_2_00C10EC0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94551FB0 18_2_00007FFD94551FB0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD945295B4 18_2_00007FFD945295B4
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94553560 18_2_00007FFD94553560
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD945316C0 18_2_00007FFD945316C0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94541840 18_2_00007FFD94541840
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD945412C1 18_2_00007FFD945412C1
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94539270 18_2_00007FFD94539270
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94541346 18_2_00007FFD94541346
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD945553C0 18_2_00007FFD945553C0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94529410 18_2_00007FFD94529410
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94537CA0 18_2_00007FFD94537CA0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94547C90 18_2_00007FFD94547C90
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD9455EE00 18_2_00007FFD9455EE00
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD9453FE90 18_2_00007FFD9453FE90
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD945FDF60 18_2_00007FFD945FDF60
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94608FE0 18_2_00007FFD94608FE0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94533980 18_2_00007FFD94533980
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD9452BAC0 18_2_00007FFD9452BAC0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94547AB0 18_2_00007FFD94547AB0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94527BC0 18_2_00007FFD94527BC0
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94532C30 18_2_00007FFD94532C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00FC0EC0 20_2_00FC0EC0
Found potential string decryption / allocating functions
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: String function: 00007FFD9452D3E0 appears 126 times
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: String function: 00007FFD9452D3E0 appears 63 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5960 -s 520
PE file does not import any functions
Source: EppManifest.dll.0.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll.0.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.3.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.0.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.3.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.0.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll.3.dr Static PE information: No import functions for PE file found
Source: EppManifest.dll.3.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: gcqPqvNl2A.exe, 00000000.00000003.2284954092.000002534D2EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAMMonitoringProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpDlpCmd.exej% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2197378516.000002534CDEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEppManifest.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpDetoursCopyAccelerator.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpEvMsg.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempdetours.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtectionManagement.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempasdesc.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RunAsInvoker__COMPAT_LAYEROfflineTargetOS%ls\temp%ls\mpam-%lx.exeFileDescriptionAntiMalware Definition UpdateMicrosoft Malware ProtectionProductNameUpdatePlatform.EXEOriginalFilename%lsMpService_NoLowPriUpdateHttpSigUpdate_StubTimeoutx86x64ia64armarm64 vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpCommu.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempdetours.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpDetoursCopyAccelerator.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpEvMsg.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196991521.000002534BCAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameendpointdlp.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BCAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameendpointdlp.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285309988.000002534D5F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpDlpCmd.exej% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2197479038.000002534C664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameendpointdlp.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BCAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameendpointdlp.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000000.2171941664.00007FF7CD90B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAtuziqafipukev.exe< vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RunAsInvoker__COMPAT_LAYEROfflineTargetOS%ls\temp%ls\mpam-%lx.exeFileDescriptionAntiMalware Definition UpdateMicrosoft Malware ProtectionProductNameUpdatePlatform.EXEOriginalFilename%lsMpService_NoLowPriUpdateHttpSigUpdate_StubTimeoutx86x64ia64armarm64 vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpCommu.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempdetours.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameProtectionManagement.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2285944566.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempasdesc.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RunAsInvoker__COMPAT_LAYEROfflineTargetOS%ls\temp%ls\mpam-%lx.exeFileDescriptionAntiMalware Definition UpdateMicrosoft Malware ProtectionProductNameUpdatePlatform.EXEOriginalFilename%lsMpService_NoLowPriUpdateHttpSigUpdate_StubTimeoutx86x64ia64armarm64 vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpCommu.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamempdetours.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpDetoursCopyAccelerator.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpEvMsg.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpOAV.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpCom.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2284823912.000002534D2C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpAzSubmit.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2284738907.000002534CF0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEppManifest.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2196068521.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAMMonitoringProvider.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2286341171.0000025340C39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs gcqPqvNl2A.exe
Source: gcqPqvNl2A.exe, 00000000.00000003.2284614197.000002534D165000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMpAzSubmit.dllj% vs gcqPqvNl2A.exe
Yara signature match
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.2356112859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: MpRtp.dll.3.dr Binary string: "H\\.\\\?\UNC\\Device\Mup\tsclient\\\?\\\\StringFileInfo\%04x%04x\%s\VarFileInfo\Translation
Source: MpSvc.dll.3.dr Binary string: \Device\Mupj
Source: MpRtp.dll.3.dr Binary string: C:\Device\Mupj
Source: MpRtp.dll.3.dr Binary string: #File ID\Device\SftVol\\Device\MountPointManager\\%s
Source: MpRtp.dll.3.dr Binary string: A\??\Volume\Device\LanmanRedirector\\Device\Harddisk\Device\CdRom\Device\Floppy\Device\WinDfs\\Device\RdpDr\\Device\WebDavRedirector\\Device\Mup\GetVolumePathNamesForVolumeNameW*?%ws%ws[Exclusion] BEGIN: Starting to generate RTP exclusion list ...[Exclusion] %ls -> %ls[Exclusion] %ls is discarded due to error 0x%x[Exclusion] END: Successfully generated RTP exclusion list. best[Exclusion] Inclusion configured: [%ls][Exclusion] Inclusion entry: %ls -> %ls\Device\LanmanRedirector
Source: MpRtp.dll.3.dr Binary string: \DEVICE\\.\fileboottransactionfilesamplefilerequestedsamplefileexpensive->%lu%ld%ld / %ld%c%ld%cremoteremovablefixednot boot%ws / %wsPassthrough%SystemDrive%}{\Device\\??\\SystemRoot\{5737d832-9e2c-4922-9623-48a220290dcb}AUDITFolderGuardTargetDiskFolderGuardTargetPathFolderGuardIdL
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/64@1/1
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94532A60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 3_2_00007FFD94532A60
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD94532A60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 11_2_00007FFD94532A60
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD94532A60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 18_2_00007FFD94532A60
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6252
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5132
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Mutant created: \Sessions\1\BaseNamedObjects\1HVfneoRPArKn4A1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455 Jump to behavior
Source: gcqPqvNl2A.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: gcqPqvNl2A.exe String found in binary or memory: const { NativeModule } = require('internal/bootstrap/loaders');
Source: gcqPqvNl2A.exe String found in binary or memory: // https://github.com/addaleax/eventemitter-asyncresource
Source: gcqPqvNl2A.exe String found in binary or memory: const { Module } = require('internal/modules/cjs/loader');
Source: gcqPqvNl2A.exe String found in binary or memory: const CJSModule = require('internal/modules/cjs/loader').Module;
Source: gcqPqvNl2A.exe String found in binary or memory: const { addAbortSignal } = require('internal/streams/add-abort-signal');
Source: gcqPqvNl2A.exe String found in binary or memory: throw e; /* node-do-not-add-exception-line */
Source: gcqPqvNl2A.exe String found in binary or memory: // Mark this socket as available, AFTER user-added end
Source: gcqPqvNl2A.exe String found in binary or memory: // lib/internal/modules/cjs/loader.js (CommonJS Modules) or
Source: gcqPqvNl2A.exe String found in binary or memory: // require('internal/bootstrap/loaders') even when this file is not written in
Source: gcqPqvNl2A.exe String found in binary or memory: const loaderId = 'internal/bootstrap/loaders';
Source: gcqPqvNl2A.exe String found in binary or memory: // - `lib/internal/bootstrap/loaders.js`: to setup internal binding and
Source: gcqPqvNl2A.exe String found in binary or memory: const CJSLoader = require('internal/modules/cjs/loader');
Source: gcqPqvNl2A.exe String found in binary or memory: require('internal/bootstrap/loaders').NativeModule.exposeInternals();
Source: gcqPqvNl2A.exe String found in binary or memory: const { NativeModule } = require('internal/bootstrap/loaders');
Source: gcqPqvNl2A.exe String found in binary or memory: } = require('internal/modules/cjs/loader');
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File read: C:\Users\user\Desktop\gcqPqvNl2A.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\gcqPqvNl2A.exe "C:\Users\user\Desktop\gcqPqvNl2A.exe"
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Process created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5960 -s 520
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5132 -s 520
Source: unknown Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C start "" /D "C:\Users\user\SystemRootDoc" "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6252 -s 504
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Process created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe" Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Section loaded: icu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: gcqPqvNl2A.exe Static PE information: More than 8191 > 100 exports found
Source: gcqPqvNl2A.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: gcqPqvNl2A.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: gcqPqvNl2A.exe Static file information: File size 52839920 > 1048576
Source: gcqPqvNl2A.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10f7e00
Source: gcqPqvNl2A.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xef8600
Source: gcqPqvNl2A.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: gcqPqvNl2A.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: gcqPqvNl2A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: MpSvc.pdbGCTL source: archvio4.exe, 00000003.00000003.2210814588.000002D2E99B1000.00000004.00000020.00020000.00000000.sdmp, MpSvc.dll.0.dr, MpSvc.dll.3.dr
Source: Binary string: MpOAV.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll.3.dr
Source: Binary string: MpAzSubmit.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2284823912.000002534D18A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2284614197.000002534D027000.00000004.00000020.00020000.00000000.sdmp, MpAzSubmit.dll.0.dr
Source: Binary string: MpRTP.pdb source: archvio4.exe, 00000003.00000003.2209598672.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpRTP.pdbGCTL source: archvio4.exe, 00000003.00000003.2209598672.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpOAV.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, MpOAV.dll.3.dr
Source: Binary string: MpDetoursCopyAccelerator.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2208024913.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetoursCopyAccelerator.dll.3.dr, MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: endpointdlp.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196991521.000002534BC26000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2197479038.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2205245454.0000029251AC5000.00000004.00000020.00020000.00000000.sdmp, endpointdlp.dll.0.dr
Source: Binary string: endpointdlp.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196991521.000002534BC26000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2197479038.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2205245454.0000029251AC5000.00000004.00000020.00020000.00000000.sdmp, endpointdlp.dll.0.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223844316.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 00000003.00000000.2203269494.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 0000000B.00000002.2352412759.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 0000000B.00000000.2321338266.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000000.2401862932.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000002.2431245500.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe.3.dr, archvio4.exe.0.dr
Source: Binary string: MsMpCom.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211075129.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpDetours.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207808922.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll.0.dr
Source: Binary string: MpProvider.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2209364806.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpProvider.dll.0.dr
Source: Binary string: MpAzSubmit.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2284823912.000002534D18A000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2284614197.000002534D027000.00000004.00000020.00020000.00000000.sdmp, MpAzSubmit.dll.0.dr
Source: Binary string: MpDetours.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207808922.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetours.dll.0.dr
Source: Binary string: ProtectionManagement.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211647151.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, ProtectionManagement.dll.0.dr
Source: Binary string: MpCommu.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr
Source: Binary string: AMMonitoringProvider.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196068521.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2204558061.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, AMMonitoringProvider.dll.3.dr
Source: Binary string: MpProvider.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2209364806.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpProvider.dll.0.dr
Source: Binary string: MpDetoursCopyAccelerator.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286957799.000002534BC19000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2208024913.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpDetoursCopyAccelerator.dll.3.dr, MpDetoursCopyAccelerator.dll.0.dr
Source: Binary string: MpCommu.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2207570804.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, MpCommu.dll.0.dr, MpCommu.dll.3.dr
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CD139000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: ProtectionManagement.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211647151.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, ProtectionManagement.dll.0.dr
Source: Binary string: MpDlpCmd.pdb source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196777891.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223844316.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 00000003.00000000.2203269494.00007FF7C1F01000.00000002.00000001.01000000.00000004.sdmp, archvio4.exe, 0000000B.00000002.2352412759.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 0000000B.00000000.2321338266.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000000.2401862932.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe, 00000012.00000002.2431245500.00007FF69BF31000.00000002.00000001.01000000.00000009.sdmp, archvio4.exe.3.dr, archvio4.exe.0.dr
Source: Binary string: AMMonitoringProvider.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2196134465.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2196068521.000002534A7D5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2204558061.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp, AMMonitoringProvider.dll.3.dr
Source: Binary string: C:\Users\runneradmin\AppData\Local\Temp\pkg.d7c6a10fb0263a69b4596321\node\out\Release\node.pdb) source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CD139000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: MsMpCom.pdbGCTL source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286013656.000002534BB58000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2286584712.000002534BB8A000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000003.2211075129.0000029251AC1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MpSvc.pdb source: archvio4.exe, 00000003.00000003.2210814588.000002D2E99B1000.00000004.00000020.00020000.00000000.sdmp, MpSvc.dll.0.dr, MpSvc.dll.3.dr
Source: gcqPqvNl2A.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gcqPqvNl2A.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gcqPqvNl2A.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gcqPqvNl2A.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gcqPqvNl2A.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, Messages.cs .Net Code: Memory
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, Messages.cs .Net Code: Memory
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, Messages.cs .Net Code: Memory
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, Messages.cs .Net Code: Memory
Binary contains a suspicious time stamp
Source: MpDetours.dll.0.dr Static PE information: 0xE96BDBBE [Thu Feb 4 22:12:14 2094 UTC]
PE file contains sections with non-standard names
Source: gcqPqvNl2A.exe Static PE information: section name: _RDATA
Source: mpclient.dll.0.dr Static PE information: section name: .managed
Source: mpclient.dll.0.dr Static PE information: section name: hydrated
Source: mpclient.dll.0.dr Static PE information: section name: _RDATA
Source: MpRtp.dll.0.dr Static PE information: section name: .didat
Source: MpSvc.dll.0.dr Static PE information: section name: .didat
Source: ProtectionManagement.dll.0.dr Static PE information: section name: .didat
Source: MpRtp.dll.3.dr Static PE information: section name: .didat
Source: MpSvc.dll.3.dr Static PE information: section name: .didat
Source: ProtectionManagement.dll.3.dr Static PE information: section name: .didat
Source: mpclient.dll.3.dr Static PE information: section name: .managed
Source: mpclient.dll.3.dr Static PE information: section name: hydrated
Source: mpclient.dll.3.dr Static PE information: section name: _RDATA
Drops PE files
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\EppManifest.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpOAV.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpOAV.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\EppManifest.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\AMMonitoringProvider.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\AMMonitoringProvider.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\mpclient.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpRtp.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpProvider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpCommu.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\archvio4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpRtp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MpProvider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\mpclient.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe File created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe File created: C:\Users\user\SystemRootDoc\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run archvio4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run archvio4 Jump to behavior
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 5960, type: MEMORYSTR
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory allocated: 29251D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 18D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 3080000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 5080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory allocated: 1FEB67B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: C10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 4A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory allocated: 1B4EAE50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2990000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 4990000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 3435 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 6395 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpOAV.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\EppManifest.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpOAV.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpDetours.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpCommu.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MsMpLics.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\EppManifest.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\AMMonitoringProvider.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\AMMonitoringProvider.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpAsDesc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpRtp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpDetours.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpProvider.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpRtp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MpProvider.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\endpointdlp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\MsMpCom.dll Jump to dropped file
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Dropped PE file which has not been started: C:\Users\user\SystemRootDoc\ProtectionManagement.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\SystemRootDoc\archvio4.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe API coverage: 6.2 %
Source: C:\Users\user\SystemRootDoc\archvio4.exe API coverage: 6.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2940 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2940 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4864 Thread sleep count: 3435 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4864 Thread sleep count: 6395 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 2448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD94532690 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 3_2_00007FFD94532690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ProtectionManagement.dll.0.dr Binary or memory string: c!CpMicrosoft HvVMwareVMware
Source: gcqPqvNl2A.exe, 00000000.00000003.2284954092.000002534D2EE000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285309988.000002534D5F5000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2224136670.00007FFD94768000.00000002.00000001.01000000.00000005.sdmp, archvio4.exe, 0000000B.00000002.2352761151.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, archvio4.exe, 00000012.00000002.2431545236.00007FFD94768000.00000002.00000001.01000000.0000000A.sdmp, mpclient.dll.0.dr Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: AddInProcess32.exe, 00000004.00000002.4635200090.0000000001397000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: ProtectionManagement.dll.0.dr Binary or memory string: VMwareVMware
Source: gcqPqvNl2A.exe, 00000000.00000003.2286710236.000002534C633000.00000004.00000020.00020000.00000000.sdmp, gcqPqvNl2A.exe, 00000000.00000003.2285668126.000002534C5E1000.00000004.00000020.00020000.00000000.sdmp, archvio4.exe, 00000003.00000002.2222965822.0000029251AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [read : ToSubclass] boolean IsVirtualMachine = FALSE;
Source: gcqPqvNl2A.exe, 00000000.00000000.2170541447.00007FF7CC739000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EFA3D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF7C1EFA3D8
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EF9D90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF7C1EF9D90
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EFA580 SetUnhandledExceptionFilter, 3_2_00007FF7C1EFA580
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EFA3D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF7C1EFA3D8
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FFD9458CFD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FFD9458CFD8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FF69BF2A580 SetUnhandledExceptionFilter, 11_2_00007FF69BF2A580
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FF69BF29D90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FF69BF29D90
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FF69BF2A3D8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00007FF69BF2A3D8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 11_2_00007FFD9458CFD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FFD9458CFD8
Source: C:\Users\user\SystemRootDoc\archvio4.exe Code function: 18_2_00007FFD9458CFD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FFD9458CFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 11A5008 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 9F7008 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000 Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 8D1008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Process created: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe" Jump to behavior
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\SystemRootDoc\archvio4.exe "C:\Users\user\SystemRootDoc\archvio4.exe"
Source: C:\Users\user\SystemRootDoc\archvio4.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: conhost.exe, 00000002.00000002.4635425414.000002DD06431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: conhost.exe, 00000002.00000002.4635425414.000002DD06431000.00000002.00000001.00040000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000002.00000002.4635425414.000002DD06431000.00000002.00000001.00040000.00000000.sdmp, archvio4.exe, 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Progman
Source: archvio4.exe, 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd`(q
Source: archvio4.exe, 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, archvio4.exe, 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Progman`(q
Source: conhost.exe, 00000002.00000002.4635425414.000002DD06431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gcqPqvNl2A.exe Queries volume information: C:\Users\user\Desktop\gcqPqvNl2A.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EFA2C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_00007FF7C1EFA2C4
Source: C:\Users\user\AppData\Local\Temp\3425948a26be0f83539952313fed1455\archvio4.exe Code function: 3_2_00007FF7C1EF6098 GetVersionExW,GetLastError, 3_2_00007FF7C1EF6098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: AddInProcess32.exe, 00000004.00000002.4638546772.00000000068D7000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4635200090.0000000001449000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4638546772.00000000068C3000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4635200090.0000000001397000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.4638546772.00000000068E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2356112859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 5132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 5608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 6252, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 11.2.archvio4.exe.1febac6a720.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.archvio4.exe.1b4ef06a720.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.archvio4.exe.1febac6a720.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c6a7d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c61081.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c61081.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.archvio4.exe.1b4ef06a720.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.archvio4.exe.29255c6a7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2356112859.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2352088950.000001FEBAC61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2430908712.000001B4EF061000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2223433285.0000029255C61000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 5960, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 5132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 5608, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: archvio4.exe PID: 6252, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1614137 Sample: gcqPqvNl2A.exe Startdate: 13/02/2025 Architecture: WINDOWS Score: 100 63 favor.ydns.eu 2->63 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 9 other signatures 2->79 8 gcqPqvNl2A.exe 29 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 2->13         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\mpclient.dll, PE32+ 8->47 dropped 49 C:\Users\user\AppData\Local\...\archvio4.exe, PE32+ 8->49 dropped 51 C:\Users\user\AppData\...\endpointdlp.dll, PE32+ 8->51 dropped 53 15 other files (none is malicious) 8->53 dropped 15 archvio4.exe 1 29 8->15         started        19 conhost.exe 8->19         started        21 archvio4.exe 1 11->21         started        23 conhost.exe 11->23         started        25 archvio4.exe 1 13->25         started        27 conhost.exe 13->27         started        process6 file7 55 C:\Users\user\SystemRootDoc\mpclient.dll, PE32+ 15->55 dropped 57 C:\Users\user\SystemRootDoc\endpointdlp.dll, PE32+ 15->57 dropped 59 C:\Users\user\SystemRootDoc\archvio4.exe, PE32+ 15->59 dropped 61 15 other malicious files 15->61 dropped 67 Writes to foreign memory regions 15->67 69 Allocates memory in foreign processes 15->69 71 Injects a PE file into a foreign processes 15->71 29 AddInProcess32.exe 3 15->29         started        33 WerFault.exe 2 15->33         started        35 WerFault.exe 3 21 21->35         started        37 AddInProcess32.exe 1 21->37         started        39 conhost.exe 21->39         started        41 WerFault.exe 21 25->41         started        43 AddInProcess32.exe 25->43         started        45 conhost.exe 25->45         started        signatures8 process9 dnsIp10 65 favor.ydns.eu 178.215.224.234, 2627, 49741, 49763 LVLT-10753US Germany 29->65 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->81 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.215.224.234
 favor.ydns.eu Germany
10753 LVLT-10753US true

Contacted Domains

Name IP Active
favor.ydns.eu 178.215.224.234 true