Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
hGlhyegaG6.exe

Overview

General Information

Sample name:hGlhyegaG6.exe
renamed because original name is a hash value
Original sample name:7915b71dd31bd2c6f7a6bba943525920.exe
Analysis ID:1625857
MD5:7915b71dd31bd2c6f7a6bba943525920
SHA1:0eda1ff79008761704bf522162accb687894a965
SHA256:baf42171b1fc708641b1214b78090ff6b95c2f1dfcc3789b322831b5b811eb9d
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SLDT)
Contains functionality to detect virtual machines (STR)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • hGlhyegaG6.exe (PID: 4944 cmdline: "C:\Users\user\Desktop\hGlhyegaG6.exe" MD5: 7915B71DD31BD2C6F7A6BBA943525920)
    • hGlhyegaG6.tmp (PID: 2916 cmdline: "C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp" /SL5="$30584,32291600,857600,C:\Users\user\Desktop\hGlhyegaG6.exe" MD5: 6E8DE531DFA6FFD065F93E3902A1CB51)
      • overseer.exe (PID: 3992 cmdline: "C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe" MD5: 7D81D10AA526A9F85DC4C4670AD7BDB3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      • AV Detection
      • Cryptography
      • Compliance
      • Networking
      • System Summary
      • Data Obfuscation
      • Persistence and Installation Behavior
      • Hooking and other Techniques for Hiding and Protection
      • Malware Analysis System Evasion
      • HIPS / PFW / Operating System Protection Evasion
      • Language, Device and Operating System Detection
      • Lowering of HIPS / PFW / Operating System Security Settings

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\)).t.8.1.exe (copy)ReversingLabs: Detection: 17%
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-G796Q.tmpReversingLabs: Detection: 28%
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MVSHD.tmpReversingLabs: Detection: 17%
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\w.)...exe (copy)ReversingLabs: Detection: 28%
      Source: hGlhyegaG6.exeVirustotal: Detection: 20%Perma Link
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4d2e4271-e
      Source: hGlhyegaG6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 2.19.11.98:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: hGlhyegaG6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256b% source: is-H6PSO.tmp.1.dr
      Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdb source: is-6EAPK.tmp.1.dr
      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: is-H6PSO.tmp.1.dr
      Source: Binary string: C:\vmagent_new\bin\joblist\784575\out\Release\InstSe.pdb source: is-MME84.tmp.1.dr
      Source: Binary string: d:\Work\Wnsoft\WnInstall(wnwg)\WnInstall\Release\WnInstall.pdb source: is-P1BFE.tmp.1.dr
      Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdbI source: is-6EAPK.tmp.1.dr
      Source: Binary string: C:\BUILD\work\3ec84b7238d5b18a\BUILDS\Release\x64\overseer.pdb source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmp
      Source: global trafficTCP traffic: 192.168.2.4:60676 -> 1.1.1.1:53
      Source: Joe Sandbox ViewIP Address: 34.117.223.223 34.117.223.223
      Source: Joe Sandbox ViewIP Address: 34.117.223.223 34.117.223.223
      Source: Joe Sandbox ViewIP Address: 2.19.11.98 2.19.11.98
      Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /tools/avg/overseer/x64/overseer.exe.def HTTP/1.1Host: s-overseer.avcdn.netUser-Agent: libcurl/8.0.1-DEV Schannel zlib/1.2.11 c-ares/1.19.0 nghttp2/1.48.0Accept: */*Accept-Encoding: deflate, gzip
      Source: global trafficDNS traffic detected: DNS query: s-overseer.avcdn.net
      Source: global trafficDNS traffic detected: DNS query: v7event.stats.avast.com
      Source: global trafficDNS traffic detected: DNS query: analytics.ff.avast.com
      Source: unknownHTTP traffic detected: POST /v4/receive/json/56 HTTP/1.1Host: analytics.ff.avast.comAccept: */*Accept-Encoding: deflate, gzipContent-Type: application/jsonUser-Agent: Overseer.214.478/x64.19045Content-Length: 402
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/code-to-activation
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/code-to-registration
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/config/soft_down
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/config/update
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/coupon-detail
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/coupon-detailRequest
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/ewm
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/getToken
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/license
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/mem_profile
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/notlogin-pay-qr
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/open-wx-login
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/price_plan
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/registration-code/check
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/registration-code/registerU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/eventU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/installU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/install_failU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/onlineU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/preinstallU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/report/uninstallU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/sstatU
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/verify-buy
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://api.kuaixunda.cn/api/wechat-qr
      Source: is-OIH7N.tmp.1.drString found in binary or memory: http://api.pdfxd.com/pdf-service/v1/report%s?product=%s&version=%s&timestamp=%I64d&sign=%sactionprod
      Source: is-MME84.tmp.1.drString found in binary or memory: http://baoku.360.cn/search/webSoftList
      Source: is-MME84.tmp.1.drString found in binary or memory: http://baoku.360.cn/search/webSoftList(softmgr)
      Source: is-P1BFE.tmp.1.drString found in binary or memory: http://bar.baidu.com/ie_xy.html
      Source: is-MME84.tmp.1.drString found in binary or memory: http://bbs.360safe.com/forum.php?mod=forumdisplay&fid=164&tj=soft/catlog=360softmgr
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: is-K1PBH.tmp.1.dr, is-4MVAS.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drString found in binary or memory: http://crl.wosign.com/WoSignCodeSigning.crl0G
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: is-K1PBH.tmp.1.dr, is-4MVAS.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
      Source: hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drString found in binary or memory: http://crt.wosign.com/WoSignCodeSigning.crt0
      Source: is-MME84.tmp.1.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
      Source: overseer.exe, 00000002.00000003.1835747192.0000000000569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fallback.iabsra.avg.u.avcdn.net/avg/iabsra/servers.defon
      Source: is-MME84.tmp.1.drString found in binary or memory: http://hao.360.cnhttps://hao.360.cnIHomePageSafeEx1win10setsafemon
      Source: is-OIH7N.tmp.1.drString found in binary or memory: http://https://ftp://http://&%s=%sllProcessIyInformatioNtQuer%snProcessQueryFu%smageNameWKernel32.dl
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://iavs9x.avg.u.avcdn.net/avg/iavs9x/servers.defiavs9xavg_fallback_servershttp://fallback.iabsra
      Source: is-0LBHD.tmp.1.dr, is-IOLM1.tmp.1.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: is-0LBHD.tmp.1.dr, is-K1PBH.tmp.1.dr, is-IOLM1.tmp.1.dr, is-G796Q.tmp.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: is-K1PBH.tmp.1.dr, is-4MVAS.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: is-K1PBH.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
      Source: is-6EAPK.tmp.1.drString found in binary or memory: http://ocsp.globalsign.com/rootr30;
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://ocsp.thawte.com0
      Source: is-MME84.tmp.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.cab
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.cab(
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.lzma
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.lzmaSTEM32R
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835602672.000000000057B000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.cab
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835602672.000000000057B000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.lzma
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.lzmaW
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: is-6EAPK.tmp.1.drString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://sf.symcb.com/sf.crt0
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://sf.symcd.com0&
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: is-MVSHD.tmp.1.drString found in binary or memory: http://tt.137365.com
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.co
      Source: overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
      Source: is-P1BFE.tmp.1.drString found in binary or memory: http://www.baidu.com/index.php?tn=bdwn_pginvalid
      Source: is-P1BFE.tmp.1.drString found in binary or memory: http://www.baidu.com/index.php?tn=tt98com_3_pg
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://www.borland.com/namespaces/Types
      Source: hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drString found in binary or memory: http://www.comodogroup.com/repository0B
      Source: is-K1PBH.tmp.1.dr, is-4MVAS.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://www.haili.io
      Source: is-G796Q.tmp.1.drString found in binary or memory: http://www.haili.io0
      Source: is-4MVAS.tmp.1.drString found in binary or memory: http://www.indyproject.org/
      Source: is-K6GSK.tmp.1.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
      Source: is-MVSHD.tmp.1.drString found in binary or memory: http://www.ttwnl.com
      Source: is-MVSHD.tmp.1.drString found in binary or memory: http://www.ttwnl.com/
      Source: is-MME84.tmp.1.drString found in binary or memory: http://www.winimage.com/zLibDll
      Source: is-MME84.tmp.1.drString found in binary or memory: http://www.winimage.com/zLibDllc
      Source: is-P1BFE.tmp.1.drString found in binary or memory: http://www.wn51.com/
      Source: hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drString found in binary or memory: http://www.wn51.com/0
      Source: is-P1BFE.tmp.1.drString found in binary or memory: http://www.wnwb.com/
      Source: hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drString found in binary or memory: http://www.wosign.com/cps/0
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://analytics.ff.avast.com
      Source: overseer.exe, 00000002.00000002.1858743479.0000000000562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/
      Source: overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56
      Source: overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56172
      Source: overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56I
      Source: overseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835835518.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56V
      Source: overseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56abinet0
      Source: overseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56uistatU
      Source: overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.ff.avast.com/v4/receive/json/56vers
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://analytics.ff.avast.comburger_over_http/v4/receive/json/56burgerx
      Source: is-OIH7N.tmp.1.drString found in binary or memory: https://apis.pdfxd.com/account/v1/api/forgetpwd/step/submit?
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
      Source: is-G796Q.tmp.1.drString found in binary or memory: https://d.symcb.com/cps0%
      Source: is-G796Q.tmp.1.drString found in binary or memory: https://d.symcb.com/rpa0
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://desktop.line-scdn.net/win/bin/real/installer/installer.jsonSoftware
      Source: is-OIH7N.tmp.1.drString found in binary or memory: https://dev.pdfxd.com/account/v1/api/forgetpwd/step/submit?
      Source: is-OIH7N.tmp.1.drString found in binary or memory: https://dev.pdfxd.com/third/wx/qrcode/login/noticehttps://dev.pdfxd.com/third/wx/qrcode/loginhttps:/
      Source: is-OIH7N.tmp.1.drString found in binary or memory: https://duokai.pdfxd.com/protocol.html
      Source: hGlhyegaG6.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.cab
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.lzma
      Source: overseer.exe, overseer.exe, 00000002.00000003.1835747192.0000000000569000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835969909.000000000055F000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835895791.000000000055F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.def
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.defEd
      Source: overseer.exe, overseer.exe, 00000002.00000002.1860071003.00000001401EE000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.defGhttp://overseer.tools.avcdn.net
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.defR
      Source: overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.deff
      Source: is-K6GSK.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0C
      Source: is-K6GSK.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0D
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=en
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=en=
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=es
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=id
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=ja
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=ko
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=th
      Source: is-6EAPK.tmp.1.drString found in binary or memory: https://terms.line.me/line_terms?lang=zh-Hant
      Source: overseer.exe, overseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
      Source: overseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://v7event.stats.avast.com/cgi-bin/iavsevents.cgia
      Source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://v7event.stats.avast.com/cgi-bin/iavsevents.cgiiavs
      Source: is-MME84.tmp.1.dr, is-6EAPK.tmp.1.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: hGlhyegaG6.exe, 00000000.00000003.1757877930.000000007F49B000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.exe, 00000000.00000003.1757389822.0000000002ED0000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.tmp, 00000001.00000000.1759474820.0000000000C61000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
      Source: hGlhyegaG6.exe, 00000000.00000003.1757877930.000000007F49B000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.exe, 00000000.00000003.1757389822.0000000002ED0000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.tmp, 00000001.00000000.1759474820.0000000000C61000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownHTTPS traffic detected: 2.19.11.98:443 -> 192.168.2.4:49733 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49735 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49736 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49734 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 34.117.223.223:443 -> 192.168.2.4:49737 version: TLS 1.2
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_2_00000001400010002_2_0000000140001000
      Source: hGlhyegaG6.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
      Source: is-OIH7N.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: 7-zip archive data, version 0.4
      Source: is-OIH7N.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: is-P1BFE.tmp.1.drStatic PE information: Resource name: SETUPCAB type: Microsoft Cabinet archive data, Windows 2000/XP setup, 352422 bytes, 1 file, at 0x2c +A "wnbz\wnbz.exe", ID 12345, number 1, 25 datablocks, 0x1 compression
      Source: hGlhyegaG6.exeStatic PE information: Number of sections : 11 > 10
      Source: hGlhyegaG6.tmp.0.drStatic PE information: Number of sections : 11 > 10
      Source: hGlhyegaG6.exe, 00000000.00000003.1757389822.0000000002FDF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs hGlhyegaG6.exe
      Source: hGlhyegaG6.exe, 00000000.00000000.1755637578.0000000000989000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs hGlhyegaG6.exe
      Source: hGlhyegaG6.exe, 00000000.00000003.1757877930.000000007F78B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs hGlhyegaG6.exe
      Source: hGlhyegaG6.exeBinary or memory string: OriginalFileName vs hGlhyegaG6.exe
      Source: hGlhyegaG6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal60.evad.winEXE@5/38@5/2
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233Jump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{F12E76D4-B7F5-4A9A-AF3B-67A1FE6CA675}
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeFile created: C:\Users\user\AppData\Local\Temp\is-J21NL.tmpJump to behavior
      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmp, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmp, type: DROPPED
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: hGlhyegaG6.exeVirustotal: Detection: 20%
      Source: hGlhyegaG6.exeString found in binary or memory: /LOADINF="filename"
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeFile read: C:\Users\user\Desktop\hGlhyegaG6.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\hGlhyegaG6.exe "C:\Users\user\Desktop\hGlhyegaG6.exe"
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp "C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp" /SL5="$30584,32291600,857600,C:\Users\user\Desktop\hGlhyegaG6.exe"
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess created: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe "C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe"
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp "C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp" /SL5="$30584,32291600,857600,C:\Users\user\Desktop\hGlhyegaG6.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess created: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe "C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe"Jump to behavior
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: rstrtmgr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: sfc_os.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: explorerframe.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpWindow found: window name: TMainFormJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: hGlhyegaG6.exeStatic file information: File size 33266825 > 1048576
      Source: hGlhyegaG6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256b% source: is-H6PSO.tmp.1.dr
      Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdb source: is-6EAPK.tmp.1.dr
      Source: Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: is-H6PSO.tmp.1.dr
      Source: Binary string: C:\vmagent_new\bin\joblist\784575\out\Release\InstSe.pdb source: is-MME84.tmp.1.dr
      Source: Binary string: d:\Work\Wnsoft\WnInstall(wnwg)\WnInstall\Release\WnInstall.pdb source: is-P1BFE.tmp.1.dr
      Source: Binary string: D:\jenkins_agent\workspace\windows_desktop_new_installer_build\line-updater\LineInstaller\bin\LineInstaller.pdbI source: is-6EAPK.tmp.1.dr
      Source: Binary string: C:\BUILD\work\3ec84b7238d5b18a\BUILDS\Release\x64\overseer.pdb source: overseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmp
      Source: is-H6PSO.tmp.1.drStatic PE information: 0x9AD0D863 [Mon Apr 22 05:55:47 2052 UTC]
      Source: is-H6PSO.tmp.1.drStatic PE information: real checksum: 0x111707 should be: 0x11b53a
      Source: is-IOLM1.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x1cf47c
      Source: is-MVSHD.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x2169c9
      Source: is-0LBHD.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x11b277
      Source: hGlhyegaG6.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x333175
      Source: is-4O04J.tmp.1.drStatic PE information: real checksum: 0x2185b6 should be: 0x21e883
      Source: hGlhyegaG6.exeStatic PE information: section name: .didata
      Source: hGlhyegaG6.tmp.0.drStatic PE information: section name: .didata
      Source: is-6EAPK.tmp.1.drStatic PE information: section name: .fptable
      Source: is-4O04J.tmp.1.drStatic PE information: section name: _RDATA
      Source: is-VF533.tmp.1.drStatic PE information: section name: .didata
      Source: is-4MVAS.tmp.1.drStatic PE information: section name: .didata
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056B2A8 push ecx; ret 2_3_0056B371
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0055C350 push eax; ret 2_3_0055C351
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0055C34B push eax; ret 2_3_0055C351
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0055C34B push eax; ret 2_3_0055C351
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567558 push eax; retf 2_3_00567559
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056C140 push eax; ret 2_3_0056C131
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567578 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_00567574 push edx; retf 2_3_00567579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056F56C push edx; ret 2_3_0056F579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056F56C push edx; ret 2_3_0056F579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056F56C push edx; ret 2_3_0056F579
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056F56C push edx; ret 2_3_0056F579
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-P1BFE.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-OIH7N.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\)).t.8.1.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\)~. ...h.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MME84.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129 - o,.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-DBR9G.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-H6PSO.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-IOLM1.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\Free Countdown Timer_5.2.0.0.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4O04J.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\w.)...exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K6GSK.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-G796Q.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\LineInst.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\WhatsApp Installer.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3 - o,.exe (copy)Jump to dropped file
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeFile created: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\j ..H_7.4.0_1735612174.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\..kW..2.0.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\...u(360.H)_3.1.0.1_1734850795.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-0LBHD.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K1PBH.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\].-N.t._1.5.0.5.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-6EAPK.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MVSHD.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpFile created: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmpJump to dropped file
      Source: C:\Users\user\Desktop\hGlhyegaG6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0056F261 sldt word ptr [eax]2_3_0056F261
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_3_0055F4D2 str word ptr [eax+0055F470h]2_3_0055F4D2
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-P1BFE.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-OIH7N.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\)).t.8.1.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\)~. ...h.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MME84.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129 - o,.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-DBR9G.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-H6PSO.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-IOLM1.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\Free Countdown Timer_5.2.0.0.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\w.)...exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K6GSK.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-G796Q.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\LineInst.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\WhatsApp Installer.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3 - o,.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\..kW..2.0.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\j ..H_7.4.0_1735612174.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\...u(360.H)_3.1.0.1_1734850795.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-0LBHD.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K1PBH.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\].-N.t._1.5.0.5.exe (copy)Jump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-6EAPK.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MVSHD.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmpJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmpJump to dropped file
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeFile opened: PhysicalDrive0Jump to behavior
      Source: overseer.exe, 00000002.00000002.1858743479.0000000000545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
      Source: C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmpProcess information queried: ProcessInformationJump to behavior
      Source: is-MME84.tmp.1.drBinary or memory string: Jr+br+bwbProgram ManagerProgmanSoftMgrLite.exeSOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemConsentPromptBehaviorAdminPromptOnSecureDesktopUsers\Administrator\AppData\LocalSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeCreateProcessWithTokenWadvapi32.dllrunas360
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeCode function: 2_2_0000000140126F50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_0000000140126F50
      Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: is-MME84.tmp.1.drBinary or memory string: aRSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		2
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		13
      Virtualization/Sandbox Evasion      		LSASS Memory221
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      Process Injection      		Security Account Manager13
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS2
      Process Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Timestomp      		LSA Secrets2
      System Owner/User Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials1
      Remote System Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1625857 Sample: hGlhyegaG6.exe Startdate: 27/02/2025 Architecture: WINDOWS Score: 60 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 7 hGlhyegaG6.exe 2 2->7         started        process3 file4 17 C:\Users\user\AppData\...\hGlhyegaG6.tmp, PE32 7->17 dropped 10 hGlhyegaG6.tmp 5 22 7->10         started        process5 file6 19 C:\Users\user\AppData\...\w.)...exe (copy), PE32 10->19 dropped 21 C:\Users\user\AppData\...\overseer.exe (copy), PE32+ 10->21 dropped 23 C:\...\j ..H_7.4.0_1735612174.exe (copy), PE32 10->23 dropped 25 28 other files (27 malicious) 10->25 dropped 13 overseer.exe 10->13         started        process7 dnsIp8 27 analytics-prod-gcp.ff.avast.com 34.117.223.223, 443, 49734, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->27 29 a366.dscd.akamai.net 2.19.11.98, 443, 49733 ELISA-ASHelsinkiFinlandEU European Union 13->29 31 4 other IPs or domains 13->31 37 Query firmware table information (likely to detect VMs) 13->37 signatures9

      Screenshots

      Download Video

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      hGlhyegaG6.exe8%ReversingLabs
      hGlhyegaG6.exe20%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\)).t.8.1.exe (copy)17%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\)~. ...h.exe (copy)3%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\...u(360.H)_3.1.0.1_1734850795.exe (copy)5%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\..kW..2.0.exe (copy)10%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3 - o,.exe (copy)8%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3.exe (copy)8%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129 - o,.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\Free Countdown Timer_5.2.0.0.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\LineInst.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\WhatsApp Installer.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\].-N.t._1.5.0.5.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-0LBHD.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmp8%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4O04J.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-6EAPK.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-DBR9G.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-G796Q.tmp29%ReversingLabsWin32.Trojan.Sasfis
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-H6PSO.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-IOLM1.tmp3%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K1PBH.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K6GSK.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MME84.tmp0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MVSHD.tmp17%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-OIH7N.tmp5%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-P1BFE.tmp10%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmp8%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\j ..H_7.4.0_1735612174.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe (copy)0%ReversingLabs
      C:\Users\user\AppData\Roaming\5927.2.15.32233\w.)...exe (copy)29%ReversingLabsWin32.Trojan.Sasfis

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://fallback.iabsra.avg.u.avcdn.net/avg/iabsra/servers.defon0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/coupon-detail0%Avira URL Cloudsafe
      http://hao.360.cnhttps://hao.360.cnIHomePageSafeEx1win10setsafemon0%Avira URL Cloudsafe
      https://analytics.ff.avast.comburger_over_http/v4/receive/json/56burgerx0%Avira URL Cloudsafe
      https://dev.pdfxd.com/third/wx/qrcode/login/noticehttps://dev.pdfxd.com/third/wx/qrcode/loginhttps:/0%Avira URL Cloudsafe
      http://www.wnwb.com/0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/verify-buy0%Avira URL Cloudsafe
      http://www.haili.io00%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/getToken0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/license0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/price_plan0%Avira URL Cloudsafe
      http://bar.baidu.com/ie_xy.html0%Avira URL Cloudsafe
      http://https://ftp://http://&%s=%sllProcessIyInformatioNtQuer%snProcessQueryFu%smageNameWKernel32.dl0%Avira URL Cloudsafe
      http://crt.wosign.com/WoSignCodeSigning.crt00%Avira URL Cloudsafe
      http://www.wn51.com/0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/code-to-activation0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/report/install_failU0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/coupon-detailRequest0%Avira URL Cloudsafe
      http://tt.137365.com0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/ewm0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/report/onlineU0%Avira URL Cloudsafe
      http://www.wn51.com/00%Avira URL Cloudsafe
      http://crl.wosign.com/WoSignCodeSigning.crl0G0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/registration-code/check0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/report/uninstallU0%Avira URL Cloudsafe
      http://www.winimage.com/zLibDllc0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/open-wx-login0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/registration-code/registerU0%Avira URL Cloudsafe
      https://duokai.pdfxd.com/protocol.html0%Avira URL Cloudsafe
      http://v7event.stats.avast.co0%Avira URL Cloudsafe
      http://www.ttwnl.com0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/report/installU0%Avira URL Cloudsafe
      http://www.comodogroup.com/repository0B0%Avira URL Cloudsafe
      http://www.haili.io0%Avira URL Cloudsafe
      http://www.wosign.com/cps/00%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/notlogin-pay-qr0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/code-to-registration0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/wechat-qr0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/config/soft_down0%Avira URL Cloudsafe
      https://dev.pdfxd.com/account/v1/api/forgetpwd/step/submit?0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/report/preinstallU0%Avira URL Cloudsafe
      http://api.kuaixunda.cn/api/sstatU0%Avira URL Cloudsafe

      Domains and IPs

      Download Network PCAP: filteredfull

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      a366.dscd.akamai.net
      		2.19.11.98
      		truefalse
        		high
        analytics-prod-gcp.ff.avast.com
        		34.117.223.223
        		truefalse
          		high
          v7event.stats.avast.com
          		unknown
          		unknownfalse
            		high
            s-overseer.avcdn.net
            		unknown
            		unknownfalse
              		high
              analytics.ff.avast.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://v7event.stats.avast.com/cgi-bin/iavsevents.cgifalse
                  		high
                  https://analytics.ff.avast.com/v4/receive/json/56false
                    		high
                    https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.deffalse
                      		high
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://api.kuaixunda.cn/api/coupon-detailis-4MVAS.tmp.1.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.wnwb.com/is-P1BFE.tmp.1.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUhGlhyegaG6.exefalse
                        		high
                        http://fallback.iabsra.avg.u.avcdn.net/avg/iabsra/servers.defonoverseer.exe, 00000002.00000003.1835747192.0000000000569000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://hao.360.cnhttps://hao.360.cnIHomePageSafeEx1win10setsafemonis-MME84.tmp.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.lzmaSTEM32Roverseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://dev.pdfxd.com/third/wx/qrcode/login/noticehttps://dev.pdfxd.com/third/wx/qrcode/loginhttps:/is-OIH7N.tmp.1.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeis-MME84.tmp.1.drfalse
                            		high
                            https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.caboverseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.indyproject.org/is-4MVAS.tmp.1.drfalse
                                		high
                                https://v7event.stats.avast.com/cgi-bin/iavsevents.cgiiavsoverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                  		high
                                  http://api.kuaixunda.cn/api/verify-buyis-4MVAS.tmp.1.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://api.pdfxd.com/pdf-service/v1/report%s?product=%s&version=%s&timestamp=%I64d&sign=%sactionprodis-OIH7N.tmp.1.drfalse
                                    		high
                                    http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.cab(overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.haili.io0is-G796Q.tmp.1.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://curl.se/docs/hsts.htmloverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                        		high
                                        https://apis.pdfxd.com/account/v1/api/forgetpwd/step/submit?is-OIH7N.tmp.1.drfalse
                                          		high
                                          https://analytics.ff.avast.comburger_over_http/v4/receive/json/56burgerxoverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://api.kuaixunda.cn/api/getTokenis-4MVAS.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.lzmaoverseer.exe, overseer.exe, 00000002.00000003.1835602672.000000000057B000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.remobjects.com/pshGlhyegaG6.exe, 00000000.00000003.1757877930.000000007F49B000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.exe, 00000000.00000003.1757389822.0000000002ED0000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.tmp, 00000001.00000000.1759474820.0000000000C61000.00000020.00000001.01000000.00000004.sdmpfalse
                                              		high
                                              http://api.kuaixunda.cn/api/licenseis-4MVAS.tmp.1.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://analytics.ff.avast.comoverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                                		high
                                                https://analytics.ff.avast.com/v4/receive/json/56uistatUoverseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://desktop.line-scdn.net/win/bin/real/installer/installer.jsonSoftwareis-6EAPK.tmp.1.drfalse
                                                    		high
                                                    https://www.innosetup.com/hGlhyegaG6.exe, 00000000.00000003.1757877930.000000007F49B000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.exe, 00000000.00000003.1757389822.0000000002ED0000.00000004.00001000.00020000.00000000.sdmp, hGlhyegaG6.tmp, 00000001.00000000.1759474820.0000000000C61000.00000020.00000001.01000000.00000004.sdmpfalse
                                                      		high
                                                      http://api.kuaixunda.cn/api/price_planis-4MVAS.tmp.1.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://bar.baidu.com/ie_xy.htmlis-P1BFE.tmp.1.drfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://terms.line.me/line_terms?lang=jais-6EAPK.tmp.1.drfalse
                                                        		high
                                                        http://www.wn51.com/is-P1BFE.tmp.1.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://v7event.stats.avast.com/cgi-bin/iavsevents.cgiaoverseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://https://ftp://http://&%s=%sllProcessIyInformatioNtQuer%snProcessQueryFu%smageNameWKernel32.dlis-OIH7N.tmp.1.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://v7event.stats.avast.com/cgi-bin/iavsevents.cgioverseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/soap/encoding/is-4MVAS.tmp.1.drfalse
                                                              		high
                                                              https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.lzmaoverseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crt.wosign.com/WoSignCodeSigning.crt0hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-K6GSK.tmp.1.drfalse
                                                                  		high
                                                                  http://nsis.sf.net/NSIS_ErrorErroris-0LBHD.tmp.1.dr, is-K1PBH.tmp.1.dr, is-IOLM1.tmp.1.dr, is-G796Q.tmp.1.drfalse
                                                                    		high
                                                                    https://curl.se/docs/alt-svc.htmloverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                      		high
                                                                      http://api.kuaixunda.cn/api/code-to-activationis-4MVAS.tmp.1.drfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://terms.line.me/line_terms?lang=idis-6EAPK.tmp.1.drfalse
                                                                        		high
                                                                        http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.lzmaoverseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://api.kuaixunda.cn/api/coupon-detailRequestis-4MVAS.tmp.1.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tt.137365.comis-MVSHD.tmp.1.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://api.kuaixunda.cn/api/report/install_failUis-4MVAS.tmp.1.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://api.kuaixunda.cn/api/report/onlineUis-4MVAS.tmp.1.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://nsis.sf.net/NSIS_Erroris-0LBHD.tmp.1.dr, is-IOLM1.tmp.1.drfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/wsdl/soap12/is-4MVAS.tmp.1.drfalse
                                                                              		high
                                                                              https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.defRoverseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.wn51.com/0hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://analytics.ff.avast.com/v4/receive/json/56versoverseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://api.kuaixunda.cn/api/ewmis-4MVAS.tmp.1.drfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.baidu.com/index.php?tn=bdwn_pginvalidis-P1BFE.tmp.1.drfalse
                                                                                    		high
                                                                                    http://crl.wosign.com/WoSignCodeSigning.crl0GhGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://analytics.ff.avast.com/overseer.exe, 00000002.00000002.1858743479.0000000000562000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://baoku.360.cn/search/webSoftListis-MME84.tmp.1.drfalse
                                                                                        		high
                                                                                        http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.478.caboverseer.exe, overseer.exe, 00000002.00000003.1835602672.000000000057B000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://api.kuaixunda.cn/api/registration-code/checkis-4MVAS.tmp.1.drfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://ocsp.sectigo.com0is-K6GSK.tmp.1.drfalse
                                                                                            		high
                                                                                            http://api.kuaixunda.cn/api/report/uninstallUis-4MVAS.tmp.1.drfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://terms.line.me/line_terms?lang=en=is-6EAPK.tmp.1.drfalse
                                                                                              		high
                                                                                              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUis-K6GSK.tmp.1.drfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/soap/envelope/is-4MVAS.tmp.1.drfalse
                                                                                                  		high
                                                                                                  http://api.kuaixunda.cn/api/open-wx-loginis-4MVAS.tmp.1.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.winimage.com/zLibDllcis-MME84.tmp.1.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.caboverseer.exe, overseer.exe, 00000002.00000003.1835420103.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835533900.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835376415.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835441303.00000000005ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://duokai.pdfxd.com/protocol.htmlis-OIH7N.tmp.1.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://api.kuaixunda.cn/api/registration-code/registerUis-4MVAS.tmp.1.drfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-K6GSK.tmp.1.drfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/wsdl/soap/is-4MVAS.tmp.1.drfalse
                                                                                                        		high
                                                                                                        https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.deffoverseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://v7event.stats.avast.cooverseer.exe, overseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://analytics.ff.avast.com/v4/receive/json/56Voverseer.exe, 00000002.00000003.1836101011.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1835835518.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.borland.com/namespaces/Typesis-4MVAS.tmp.1.drfalse
                                                                                                              		high
                                                                                                              http://www.comodogroup.com/repository0BhGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0is-G796Q.tmp.1.drfalse
                                                                                                                		high
                                                                                                                http://www.ttwnl.comis-MVSHD.tmp.1.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://api.kuaixunda.cn/api/report/installUis-4MVAS.tmp.1.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://terms.line.me/line_terms?lang=enis-6EAPK.tmp.1.drfalse
                                                                                                                  		high
                                                                                                                  https://sectigo.com/CPS0Cis-K6GSK.tmp.1.drfalse
                                                                                                                    		high
                                                                                                                    https://terms.line.me/line_terms?lang=esis-6EAPK.tmp.1.drfalse
                                                                                                                      		high
                                                                                                                      https://sectigo.com/CPS0Dis-K6GSK.tmp.1.drfalse
                                                                                                                        		high
                                                                                                                        http://www.wosign.com/cps/0hGlhyegaG6.tmp, 00000001.00000002.1819813933.0000000000B2D000.00000004.00000010.00020000.00000000.sdmp, is-P1BFE.tmp.1.drfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.haili.iois-G796Q.tmp.1.drfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://baoku.360.cn/search/webSoftList(softmgr)is-MME84.tmp.1.drfalse
                                                                                                                          		high
                                                                                                                          http://api.kuaixunda.cn/api/notlogin-pay-qris-4MVAS.tmp.1.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://curl.se/docs/http-cookies.htmloverseer.exe, 00000002.00000000.1812811963.0000000140180000.00000002.00000001.01000000.00000006.sdmp, overseer.exe, 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://api.kuaixunda.cn/api/config/soft_downis-4MVAS.tmp.1.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://api.kuaixunda.cn/api/wechat-qris-4MVAS.tmp.1.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://api.kuaixunda.cn/api/sstatUis-4MVAS.tmp.1.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://ocsp.thawte.com0is-G796Q.tmp.1.drfalse
                                                                                                                              		high
                                                                                                                              https://s-overseer.avcdn.net/tools/avg/overseer/x64/overseer.exe.defEdoverseer.exe, 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://api.kuaixunda.cn/api/code-to-registrationis-4MVAS.tmp.1.drfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://analytics.ff.avast.com/v4/receive/json/56Ioverseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://dev.pdfxd.com/account/v1/api/forgetpwd/step/submit?is-OIH7N.tmp.1.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://api.kuaixunda.cn/api/report/preinstallUis-4MVAS.tmp.1.drfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://analytics.ff.avast.com/v4/receive/json/56172overseer.exe, 00000002.00000002.1858918397.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1853159713.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857917622.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1858387119.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1857627513.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1854373776.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, overseer.exe, 00000002.00000003.1856768953.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    34.117.223.223
                                                                                                                                    		analytics-prod-gcp.ff.avast.comUnited States
                                                                                                                                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                    2.19.11.98
                                                                                                                                    		a366.dscd.akamai.netEuropean Union
                                                                                                                                    		719ELISA-ASHelsinkiFinlandEUfalse

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                    Analysis ID:1625857
                                                                                                                                    Start date and time:2025-02-27 18:20:27 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 6m 27s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:15
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:hGlhyegaG6.exe
                                                                                                                                    renamed because original name is a hash value
                                                                                                                                    Original Sample Name:7915b71dd31bd2c6f7a6bba943525920.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal60.evad.winEXE@5/38@5/2
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HCA Information:Failed
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Stop behavior analysis, all processes terminated
                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53, 40.126.32.134, 13.107.246.60, 20.223.36.55, 2.19.96.129
                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Execution Graph export aborted for target overseer.exe, PID 3992 because there are no executed function
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    12:21:33API Interceptor1x Sleep call for process: overseer.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    34.117.223.223Canvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    SecuriteInfo.com.Riskware.OfferCore.5002.4698.exeGet hashmaliciousPrivateLoaderBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    Microstub.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    Microstub.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    ccsetup621.zipGet hashmaliciousUnknownBrowse
                                                                                                                                    • v7event.stats.avast.com/cgi-bin/iavsevents.cgi
                                                                                                                                    2.19.11.98https://mfsus-my.sharepoint.com/:u:/p/jmaldonado/ETgv2ykDZTZFqqQuEgMT5HYBmLmp6Wc681CQdzzQhFcYJQ?e=deM7FdGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                      https://1drv.ms/f/s!Al3kOrNM1pisdUEXbGg8JkzKK48?e=tOzHl1Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                        https://tampopo304-my.sharepoint.com/personal/t_peter_tampopo_co_uk/_layouts/15/guestaccess.aspx?share=ErD6Vn1_jHJCkzNA55SF53AB1bLxHPSyAiXwDO2SC9GB1Q&e=F2hCiyGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                                                                          https://1drv.ms/f/s!AjoVkDIsGnpOd7LuARNPe9SBPXk?e=Pdaap6Get hashmaliciousUnknownBrowse
                                                                                                                                            Microsoft subscription purchase confirmation.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                              https://used-trudy-s08zvfvm.dcms.site/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                https://gsiarchitektenag-my.sharepoint.com/:f:/g/personal/gs_gsi-architekten_ch/EntlC9XtnJ1Bgd09WLx74WkBB05V16Z8JVmiV-l5ACpLgQ?e=KRNxYhGet hashmaliciousUnknownBrowse
                                                                                                                                                  https://rnicrosoft-secured-office.squarespace.com/sharepointcoc?e=bob_smith@gmail.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                      NRKCZ1PSDM.exeGet hashmaliciousPureLog Stealer, VidarBrowse

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        analytics-prod-gcp.ff.avast.comCanvas of Kings_N6xC-S2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        lw2HMxuVuf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        https://download.ccleaner.com/portable/ccsetup629.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmailGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        SecuriteInfo.com.Trojan.Siggen29.7508.16428.4641.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        Team Fortress 2 Brotherhood Of Arms_aez-LU1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223

                                                                                                                                                        ASNs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttp://rbitzer.comGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.239.71
                                                                                                                                                        http://mail.aestheticfina.comGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.188.166
                                                                                                                                                        CheatEngine75.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        9JJKvVwvGx.exeGet hashmaliciousDestiny Stealer, Phemedrone Stealer, StormKittyBrowse
                                                                                                                                                        • 34.117.59.81
                                                                                                                                                        REMITTANCE DETAILS....xlsxGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                                                                                                        • 34.117.188.166
                                                                                                                                                        X9aIq7jyai.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                        • 34.117.59.81
                                                                                                                                                        7HLZuA5T52.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                        • 34.117.59.81
                                                                                                                                                        bwJj13Uume.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                        • 34.117.59.81
                                                                                                                                                        F2024065877 (1).htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.188.166
                                                                                                                                                        Ahnenblatt4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.188.166
                                                                                                                                                        ELISA-ASHelsinkiFinlandEUx86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 157.145.81.32
                                                                                                                                                        debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 157.145.68.75
                                                                                                                                                        arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 157.144.158.145
                                                                                                                                                        CheatEngine75.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 2.19.11.115
                                                                                                                                                        ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 81.197.31.98
                                                                                                                                                        https://docs.google.com/presentation/d/e/2PACX-1vSvmWyfLEJZ5nZ6r7zLeERwPTtQoLAUQ4RPEvcJe62ARx9vU5tDh9sA907TMKlRkeGtkb4myCac4reD/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                                                                                                        • 2.19.11.163
                                                                                                                                                        FW_ Fw_ Spreadsheet shared with you_ _Invitation to Bid_ By Elna Davis [ID_0023058].emlGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                                                                                                        • 2.19.11.103
                                                                                                                                                        New Missed Call Notification for jim.huber 2252025 84809 PM.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 2.19.11.120
                                                                                                                                                        http://docusign.netGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 2.19.11.109
                                                                                                                                                        star.ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                        • 91.156.132.69

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        74954a0c86284d0d6e1c4efefe92b5211.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        5bf784.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        34.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        11.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        BundleInstaller.dll.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        CffcJEOeKdr.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        microsoft-update.batGet hashmaliciousUnknownBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        s57VlxH5.batGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98
                                                                                                                                                        SDG9IrTB.batGet hashmaliciousQuasarBrowse
                                                                                                                                                        • 34.117.223.223
                                                                                                                                                        • 2.19.11.98

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmpCheatEngine75.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          script.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                            script.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                              LjRzIncZn3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                5Y4GVzLuoR.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                  LjRzIncZn3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    W0utxsxevL.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                      7UeILSfH5L.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                        5Y4GVzLuoR.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          W0utxsxevL.exeGet hashmaliciousMicroClipBrowse

                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-INPU8.tmp\_isetup\_setup64.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6144
                                                                                                                                                                            Entropy (8bit):4.720366600008286
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                            • Filename: CheatEngine75.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: script.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: script.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: LjRzIncZn3.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 5Y4GVzLuoR.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: LjRzIncZn3.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: W0utxsxevL.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 7UeILSfH5L.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: 5Y4GVzLuoR.exe, Detection: malicious, Browse
                                                                                                                                                                            • Filename: W0utxsxevL.exe, Detection: malicious, Browse
                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\Desktop\hGlhyegaG6.exe
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3347968
                                                                                                                                                                            Entropy (8bit):6.594964217507136
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:CdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQ5333Re+I:0JYVM+LtVt3P/KuG2ONG9iqLRQ5333E
                                                                                                                                                                            MD5:6E8DE531DFA6FFD065F93E3902A1CB51
                                                                                                                                                                            SHA1:9A484E85432C38D9749C2DFB56E72207A6A9B88E
                                                                                                                                                                            SHA-256:0313C8B1EAF4BF8A2C920717CAD7335B7AA9C210298C659B97647E433B0272BD
                                                                                                                                                                            SHA-512:30DB086FA4E73A17F32321BC4CF4D16BD9A58540DAA9E77FE4FCA1361618B874AD33A673012D85C7A28474FB3376C739389B7321DE4D3E08581D50913C1A51D2
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..P........*.......*...@...........................3...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\)).t.8.1.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2133356
                                                                                                                                                                            Entropy (8bit):7.958858034406502
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:hEm1GGw/Zh77JiahbzAhYvyBgNJNAh6gc+h66Jku9ZpD+V+sYogi6u:hESIRhhikzvyGNJNAh6gl66j7snVR
                                                                                                                                                                            MD5:CE1B25AFC637CD65CA2073ED4CAA0F89
                                                                                                                                                                            SHA1:DF63FFF356F10CC91817C287C155A2936603DBE2
                                                                                                                                                                            SHA-256:FB11CDF43004A2501A8A550D333127C0076FEE06C4D7764A9EDCE100158C9874
                                                                                                                                                                            SHA-512:E546CB491563F4744971656D0FA0D989132BCED70B62620A7A569F22BE3A61892E15A64B47B7DAB814D2EE0963CF3141A1322E6608A5501AC0458DD877EB1328
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>=?Lz\Q.z\Q.z\Q..@_.h\Q..C[.E\Q.z\Q.y\Q..CB.s\Q.z\P..\Q.|.Z.{\Q..CZ.n\Q..ZW.{\Q.Richz\Q.........PE..L......=.....................`.......I............@............................................................................d.......................................................................................|............................text............................... ..`.rdata........... ..................@..@.data....'....... ..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\)~. ...h.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1852343
                                                                                                                                                                            Entropy (8bit):7.992987797929006
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:49152:8fPgbXOkVdIH8r1c1DitzO+GkXVWJoJz3:j6+dIH8r1YKi+G4VOE7
                                                                                                                                                                            MD5:1A6CB299E629634260182F26F7C0661F
                                                                                                                                                                            SHA1:851BDB0768062380951A6C429DE9D0497649AE76
                                                                                                                                                                            SHA-256:B4419DBDB3A5417AE9E39037B5AF1FE075FCAD656C12E1D8C5B822EEA6E72C19
                                                                                                                                                                            SHA-512:FC85211C8C16CB5AC0C36FEFF7273FA40A9D2C040B9CE6F5C2B5D9ABFABEC1CE21619B15E73863E67E5D18E4521018C9EFC287908E4B2F4D1F96AC29DC414FA2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........@............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...@............z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\...u(360.H)_3.1.0.1_1734850795.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6603672
                                                                                                                                                                            Entropy (8bit):7.865075735815504
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:196608:NAytnH/3fbFaZtxD+snNf+TNa7QXaVHMeq6R9dTa27:iyt3OUZEfHMidH
                                                                                                                                                                            MD5:5015AF231898F219B9449875055BD991
                                                                                                                                                                            SHA1:8776F311ACBB9AD29B7AF7C5B1ACCDAB33AB3166
                                                                                                                                                                            SHA-256:DA90259734B79DFA1DC1BB104B0099DC16831B42A3D27BB4397C48E879577455
                                                                                                                                                                            SHA-512:B94B81BA856E3F6CB4703BB8CAAA62FC5A91F4227BC984E30A75811D86AC13BCD66593219C6282141141ED186F331FCE87494EC0196D35E35147DA7859FA9AA1
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...Ii.Ii.Ii..1j.Ii..1l.TIi..j.Ii..m.Ii..l..Ii..1m.Ii..1o.Ii..1h.Ii.Ih.Ki...`..Ii...l.Ii....Ii.I..Ii...k.Ii.Rich.Ii.........PE..L...S.dg...............).D...LT..............`....@...........................f..... Qe...@.................................L6..T........dP...........d../...`e............................@.......@...@............`..x............................text...lC.......D.................. ..`.rdata.......`.......H..............@..@.data........`...>...D..............@....rsrc....dP......fP.................@..@.reloc......`e.......c.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\..kW..2.0.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1095248
                                                                                                                                                                            Entropy (8bit):7.3847854536731194
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:Z+8FYDQIdsIi3ZVmrdZvGk6Vl5WCu36ivyh9cuiJh/G5L73oH:YtuZERsk6n5WCQLucq3oH
                                                                                                                                                                            MD5:839A48C3AFC914A5627B5F68D5332AFF
                                                                                                                                                                            SHA1:CA8E9D49A598AD614E8861E31DDCECCA3C8ABB4A
                                                                                                                                                                            SHA-256:4F856B9B0940C7627CC13329E5B9B99A21EDD1AB466DABD53241077C0F6353D2
                                                                                                                                                                            SHA-512:ED699354E851860F62C113F0F419C61D95395E3FB8F441C9BEC7A3F47CE2449930B23627463284E00B8D536A1F9C576C5956DD4555343C3179F73B5C1FE87D00
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 10%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(w..(w..(w....."w...T...w...T..)w..;..*w.....=w..(w..\u..-{..4w..-{..w..-{...w...|.)w..-{.)w..Rich(w..................PE..L...K..N.................P...................`....@............................................................................,.... ..................P............f...............................................`......\...@....................text....M.......P.................. ..`.rdata...D...`...P...`..............@..@.data...4g.......0..................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3 - o,.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3275912
                                                                                                                                                                            Entropy (8bit):6.704682677119929
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd
                                                                                                                                                                            MD5:3909D43C55B62C3AC16D2843A63F857B
                                                                                                                                                                            SHA1:A6879E7DB07033B7908D34DA720C39A45613EEE5
                                                                                                                                                                            SHA-256:A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1
                                                                                                                                                                            SHA-512:9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....U.d.................J%..........Y%......`%...@...........................2.....y.2..........@............................'..A....*.G0............1.......'.0............................p'.....................0.'......P'......................text...0.%......0%................. ..`.itext.......@%......4%............. ..`.data...L....`%......N%.............@....bss.....p....&......l&..................idata...A....'..B...l&.............@....didata......P'.......&.............@....tls....@....`'.......&..................rdata.......p'.......&.............@..@.reloc..0.....'.......&.............@..B.rsrc...G0....*..2....).............@..@..............6.......5.............@..@........................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\123SW.`_2.0.0.3.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3275912
                                                                                                                                                                            Entropy (8bit):6.704682677119929
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd
                                                                                                                                                                            MD5:3909D43C55B62C3AC16D2843A63F857B
                                                                                                                                                                            SHA1:A6879E7DB07033B7908D34DA720C39A45613EEE5
                                                                                                                                                                            SHA-256:A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1
                                                                                                                                                                            SHA-512:9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....U.d.................J%..........Y%......`%...@...........................2.....y.2..........@............................'..A....*.G0............1.......'.0............................p'.....................0.'......P'......................text...0.%......0%................. ..`.itext.......@%......4%............. ..`.data...L....`%......N%.............@....bss.....p....&......l&..................idata...A....'..B...l&.............@....didata......P'.......&.............@....tls....@....`'.......&..................rdata.......p'.......&.............@..@.reloc..0.....'.......&.............@..B.rsrc...G0....*..2....).............@..@..............6.......5.............@..@........................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129 - o,.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1527528
                                                                                                                                                                            Entropy (8bit):6.6753627354933744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI
                                                                                                                                                                            MD5:406649A8EBDBEE64943B69C2B49248C8
                                                                                                                                                                            SHA1:03D2BC4FA3335ED2790E9DEB2683C193BC93FF14
                                                                                                                                                                            SHA-256:04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B
                                                                                                                                                                            SHA-512:FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|W..|W..|W...W..|Wt..W..|W...W..|W...W..|W...W..|W...W..|W..}W9.|W...W..|W...W..|W..W..|W...W..|WRich..|W........PE..L....9.e.....................v....................@.................................. ....@..................................g.......@...j..........."..P,..............................................@............................................text...z........................... ..`.rdata..............................@..@.data............T..................@....rsrc....j...@...l..................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\2000002290_406649A8EBDBEE64943B69C2B49248C8_20240129.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1527528
                                                                                                                                                                            Entropy (8bit):6.6753627354933744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI
                                                                                                                                                                            MD5:406649A8EBDBEE64943B69C2B49248C8
                                                                                                                                                                            SHA1:03D2BC4FA3335ED2790E9DEB2683C193BC93FF14
                                                                                                                                                                            SHA-256:04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B
                                                                                                                                                                            SHA-512:FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|W..|W..|W...W..|Wt..W..|W...W..|W...W..|W...W..|W...W..|W..}W9.|W...W..|W...W..|W..W..|W...W..|WRich..|W........PE..L....9.e.....................v....................@.................................. ....@..................................g.......@...j..........."..P,..............................................@............................................text...z........................... ..`.rdata..............................@..@.data............T..................@....rsrc....j...@...l..................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\Free Countdown Timer_5.2.0.0.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4758456
                                                                                                                                                                            Entropy (8bit):7.9868993000639845
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:EIztAOnrDbONTcfRkAtNpf3oGEUa1E0roN0fcDUcfHySM:piOHscGINSGEUa1pa00DUlSM
                                                                                                                                                                            MD5:E4E292C563B51EB8AC526103A736AA9F
                                                                                                                                                                            SHA1:52CEDF2CCBE9816DD71E25785F3C227C88A97E82
                                                                                                                                                                            SHA-256:8699D7890F44CA0A7FA44796886DD9129D2F621D15E78043667D7A8E297F4908
                                                                                                                                                                            SHA-512:DA0B5F202A774133914C2C85598F27FE46DEB5520C533F030B9DC4FE89C6CA66B4143D826E13206070B82C6F50124F5879B12D25CCB3B170AFEE61C4EE39C050
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@.................................H.H...@......@...................................................yH..!...........................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\LineInst.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1032896
                                                                                                                                                                            Entropy (8bit):5.429142096187797
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:RVBOEu9gjRKJF5zx1xVgRxbmtIdvb3ifimF9pXDLervxnPRUrh2r/w4x:RoJ9V0Q+vb3ifTFvervxnpih2rlx
                                                                                                                                                                            MD5:4AD2FC6FFF2E693478EADC6793F76924
                                                                                                                                                                            SHA1:70483D3952D781A088D8D990F1E3921CDA694F01
                                                                                                                                                                            SHA-256:35018E18982188FC5F485F462E7A77FADE7E0CB632FAF632E163622815B9E90A
                                                                                                                                                                            SHA-512:44675DEE84800CB84AF65A707D491C88E99DAF3CC7AADC9F8BF4D2DAECE69D02243BA29131D89AB6F46D3E9BF7482831C3CE3264277F38A731B63891FF377605
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.[.~.5.~.5.~.5..[6.p.5..[0...5..[1.g.5.1.1.o.5.1.6.i.5.1.0.!.5...0.}.5..[4.a.5.~.4.M.5...<.s.5......5.~....5...7...5.Rich~.5.........................PE..L.....Pg...............".....x......q|....... ....@.......................................@..............................................k...........f...\...`...O......p...............................@............ ...............................text............................... ..`.rdata...y... ...z..................@..@.data....>.......(..................@....fptable............................@....rsrc....k.......l..................@..@.reloc...O...`...P..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\Repository.xml (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6100183
                                                                                                                                                                            Entropy (8bit):7.970907477115673
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:5RumfOlbeaEnjdEqiPR6ppmLAnjbg8iFoCKjYjtgCVnZrdVmDJiFq9kg22LU:5Ru9Ve9xEqM6Hm2bg8kKCRFmDJIikx
                                                                                                                                                                            MD5:50CC3FC19ED36031A5B9A49365DFC6BF
                                                                                                                                                                            SHA1:51032E78848970154558690C4B76D2E6C017143B
                                                                                                                                                                            SHA-256:16BC5778331435D0CB76A9ABD49933BA64B09F79B5C0151AD1DA3192B78159CC
                                                                                                                                                                            SHA-512:73B02C2F13BDF9DFF99ED3F9DF3F2C376BED80FD471430111AFD414CAC27CAD21DBE4EE20FBD78F9E63C354FFA47E4AE23396E41723C7A9076D25D33A680FC43
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:-;AV-9AT:;US$..h.J..l$..$.@<$.!.4/.89.H..$).$m.Hm...hl..;.H.8H0.E. .E...EnH..\..llH.....ll.DH@...6.A.6...TW..A...N..v.bQQ..J~CQ..e0.x=.j.Fc...ll=..&.....lQ.."B..dn..Qv.bQ...H+..h.......*.E...=.Z....=........lQ..6...{n..Qm.J.c.#nl.=.N........E]..z...=o..jc...ll=..\..b..lQ...0..Qn..Q05 2c..nl..%...Q.GNdc.Rml.=.Z..c.6.ll=.>.......lQ..h..q.....GNd.....=.j.F..;..lQ.&.+...n..QKa."c....i...l.H.c..............>..Ac(.Q:..lf..>...!....\.Ac).....Q....c..nl.=K...c...ll=T;...........rl..$m..........c.......-.\YL^Ac(..Q...lf...-....x.l..Qh...c..nl.=..xc...ll=..{..T...$.. .../o.....(H+.i...l.H.c.............&..D..=.ql...m.J.cM.c..0.cE.....Q..Mp...n..Qb.Lc.jnl....N.)].....iJ.ll.Hmc............. A...J-.D..=(ql..c..A.b.L-.M.\.Ac).E]......H,.......'...D..k...H.. ......l......V....i...l.H.c...............D..=.pl.......cM.c..0.cE.p...$.. ...|n....J.G..N..c(.....i~.ll.Hmc...........>..A...!p-.D..=\pl....Rh.cM.c..0.-.E........Z......$..L.L.(H0.An..$..L...nl.D..(H

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\WhatsApp Installer.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1096224
                                                                                                                                                                            Entropy (8bit):6.826758378910142
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:qB613t1V9A+Tac0RDffXJjyYp88oNHSy5viczGMwP2FC1Wf3VfXJjyNpor:UG1k+2DR7BWYp88o44HP9BWNpor
                                                                                                                                                                            MD5:90B27B057D16422ACED7DBF4CF8995AA
                                                                                                                                                                            SHA1:0DE3BDE3E1DFA1CAD7363F8091242121BC71A5DA
                                                                                                                                                                            SHA-256:97147A56EB2B9A9DC60F149AE574531FB22E39B9C820F2E2A3E0AF38D56BF1DC
                                                                                                                                                                            SHA-512:FAB574629B5028ABB290788AF35CFBE16A7DA617FBFE198634C07B7B2D7BAAA9BF8BDDEBC3A431D0357B3303BF118A43DC02E766E6049571E8A054464F5349D6
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c............"...0......(.......<... ...@....@.. ....................................`..................................;..O....@..(%...........H.. r...........:..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(%...@...&... ..............@..@.reloc...............F..............@..B.................;......H.......4;..................V............................................{8...*..{9...*..{:...*..{;...*..{<...*..{=...*..{>...*..{?...*..{@...*..{A...*..{B...*.0..\........(C.....}8.....}9.....}:......};......}<......}=......}>......}?......}@......}A......}B...*.0...........u.......;.....9....(D....{8....{8...oE...9....(F....{9....{9...oG...9....(H....{:....{:...oI...9....(J....{;....{;...oK...9....(L....{<....{<...oM...9....(N....{=....{=...oO...,w(P....{>....{>...oQ...,_(

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\].-N.t._1.5.0.5.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1136657
                                                                                                                                                                            Entropy (8bit):7.985069142877887
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:s/cSSxt6hnMVODHtt9D/wbQOrqiWaX2CId72lgn:s/rSDULHttB8rhWaXfM2lgn
                                                                                                                                                                            MD5:54BF45525D59EA00562E92C4EA449241
                                                                                                                                                                            SHA1:AB338D1C4F2636E08D798018551556A875E1438D
                                                                                                                                                                            SHA-256:F921F4BE22C2455728A63B4B68EF3C7CCC6BD9EE0162A8228E1A2D6D1D831F33
                                                                                                                                                                            SHA-512:42B3408E0C665C8285F9D286E172D7B2DFBA4EF19EBED40704FC19F44D53750635DEFE34A2947ED30DBC85D63D8D88872AE7E1506A4BC8AF7C98BBCF3770CB32
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........M...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....M.......N...z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-0LBHD.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1136657
                                                                                                                                                                            Entropy (8bit):7.985069142877887
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:s/cSSxt6hnMVODHtt9D/wbQOrqiWaX2CId72lgn:s/rSDULHttB8rhWaXfM2lgn
                                                                                                                                                                            MD5:54BF45525D59EA00562E92C4EA449241
                                                                                                                                                                            SHA1:AB338D1C4F2636E08D798018551556A875E1438D
                                                                                                                                                                            SHA-256:F921F4BE22C2455728A63B4B68EF3C7CCC6BD9EE0162A8228E1A2D6D1D831F33
                                                                                                                                                                            SHA-512:42B3408E0C665C8285F9D286E172D7B2DFBA4EF19EBED40704FC19F44D53750635DEFE34A2947ED30DBC85D63D8D88872AE7E1506A4BC8AF7C98BBCF3770CB32
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t...........M...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....M.......N...z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-0UUDN.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):240343
                                                                                                                                                                            Entropy (8bit):6.49164314704198
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:8sSk7Ct4W8i5u9kKvYwVOX6IrO6rZpbeGI3:BSx8iwkKvh86dQZpb7I3
                                                                                                                                                                            MD5:57A0F4852EDDD8D4203B59FA9897DD21
                                                                                                                                                                            SHA1:B52B42AED913CCB7F53221B2EBD3382BE00D472E
                                                                                                                                                                            SHA-256:E7BBB4E10E44963ECD55ADB434CDFEB2096068D3A8CC0D82F2FCC7CFB8673CB6
                                                                                                                                                                            SHA-512:F5A52F8992BD238D75B12E52932C5531A3382C31FC8EFFEDCA4EAC5420F30DF8A9B7D744AFD548F723EDF71074192117B8A0956C85F6624CC8C7889B4C669DD7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:-;AV-9AT:;US$..h.J..l$..$.@<$.!.4/.89.H..$).$m.Hm...hl..;.H.8H0.E. .E...EnH..\..llH.....ll.DH@...6.A.6...TW..A...N..v.bQQ..J~CQ..e0.x=.j.Fc...ll=..&.....lQ.."B..dn..Qv.bQ...H+..h.......*.E...=.Z....=........lQ..6...{n..Qm.J.c.#nl.=.N........E]..z...=o..jc...ll=..\..b..lQ...0..Qn..Q05 2c..nl..%...Q.GNdc.Rml.=.Z..c.6.ll=.>.......lQ..h..q.....GNd.....=.j.F..;..lQ.&.+...n..QKa."c....i...l.H.c..............>..Ac(.Q:..lf..>...!....\.Ac).....Q....c..nl.=K...c...ll=T;...........rl..$m..........c.......-.\YL^Ac(..Q...lf...-....x.l..Qh...c..nl.=..xc...ll=..{..T...$.. .../o.....(H+.i...l.H.c.............&..D..=.ql...m.J.cM.c..0.cE.....Q..Mp...n..Qb.Lc.jnl....N.)].....iJ.ll.Hmc............. A...J-.D..=(ql..c..A.b.L-.M.\.Ac).E]......H,.......'...D..k...H.. ......l......V....i...l.H.c...............D..=.pl.......cM.c..0.cE.p...$.. ...|n....J.G..N..c(.....i~.ll.Hmc...........>..A...!p-.D..=\pl....Rh.cM.c..0.-.E........Z......$..L.L.(H0.An..$..L...nl.D..(H

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3275912
                                                                                                                                                                            Entropy (8bit):6.704682677119929
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd
                                                                                                                                                                            MD5:3909D43C55B62C3AC16D2843A63F857B
                                                                                                                                                                            SHA1:A6879E7DB07033B7908D34DA720C39A45613EEE5
                                                                                                                                                                            SHA-256:A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1
                                                                                                                                                                            SHA-512:9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4MVAS.tmp, Author: Joe Security
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....U.d.................J%..........Y%......`%...@...........................2.....y.2..........@............................'..A....*.G0............1.......'.0............................p'.....................0.'......P'......................text...0.%......0%................. ..`.itext.......@%......4%............. ..`.data...L....`%......N%.............@....bss.....p....&......l&..................idata...A....'..B...l&.............@....didata......P'.......&.............@....tls....@....`'.......&..................rdata.......p'.......&.............@..@.reloc..0.....'.......&.............@..B.rsrc...G0....*..2....).............@..@..............6.......5.............@..@........................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-4O04J.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2170952
                                                                                                                                                                            Entropy (8bit):6.555833138686776
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:kMLPHrldaIVplxcLm3J4Xn1syCZA/zIWTm2bB5XTAndMQJIV4y:S6vh2bzcndjoj
                                                                                                                                                                            MD5:7D81D10AA526A9F85DC4C4670AD7BDB3
                                                                                                                                                                            SHA1:9F9AF5D9E70D901065104FE07291FB2354793ECE
                                                                                                                                                                            SHA-256:70CDA5C9A8095D618F96B3BA330892A7A902CDCD9F9530E82F9CB6DCA5B8AC89
                                                                                                                                                                            SHA-512:CE4C62D235FA3A23E93508D5F2F7157A45159F1C5DD6DCB24E6FE1ED9FC6F0D4AD8B5884A2304A58B2D56DF57E9CADDD206F512AC8E518E93A3CC46506A34E80
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$........O..U.n.U.n.U.n..\k...n..R.._.n..Rj.F.n..Rk.:.n..Rm._.n..\m.E.n..\j.u.n..[j...n.\V..W.n..[k.T.n..@m.T.n..@j.Y.n.U.n.Y.n..\h.T.n..[k.V.n.U.o../n..\o.J.n..Rg...n..Rn.T.n..R..T.n.U...W.n..Rl.T.n.RichU.n.................PE..d.....ud.........."....".....t.......(.........@..............................!.......!... .....................................................,.... .H\....... ............!.\...............................(.......@............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\..... .....................@..@.rsrc...H\... ..^..................@..@.reloc..\.....!.......!.............@..B................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-6EAPK.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1032896
                                                                                                                                                                            Entropy (8bit):5.429142096187797
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:RVBOEu9gjRKJF5zx1xVgRxbmtIdvb3ifimF9pXDLervxnPRUrh2r/w4x:RoJ9V0Q+vb3ifTFvervxnpih2rlx
                                                                                                                                                                            MD5:4AD2FC6FFF2E693478EADC6793F76924
                                                                                                                                                                            SHA1:70483D3952D781A088D8D990F1E3921CDA694F01
                                                                                                                                                                            SHA-256:35018E18982188FC5F485F462E7A77FADE7E0CB632FAF632E163622815B9E90A
                                                                                                                                                                            SHA-512:44675DEE84800CB84AF65A707D491C88E99DAF3CC7AADC9F8BF4D2DAECE69D02243BA29131D89AB6F46D3E9BF7482831C3CE3264277F38A731B63891FF377605
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.[.~.5.~.5.~.5..[6.p.5..[0...5..[1.g.5.1.1.o.5.1.6.i.5.1.0.!.5...0.}.5..[4.a.5.~.4.M.5...<.s.5......5.~....5...7...5.Rich~.5.........................PE..L.....Pg...............".....x......q|....... ....@.......................................@..............................................k...........f...\...`...O......p...............................@............ ...............................text............................... ..`.rdata...y... ...z..................@..@.data....>.......(..................@....fptable............................@....rsrc....k.......l..................@..@.reloc...O...`...P..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-DBR9G.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1527528
                                                                                                                                                                            Entropy (8bit):6.6753627354933744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI
                                                                                                                                                                            MD5:406649A8EBDBEE64943B69C2B49248C8
                                                                                                                                                                            SHA1:03D2BC4FA3335ED2790E9DEB2683C193BC93FF14
                                                                                                                                                                            SHA-256:04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B
                                                                                                                                                                            SHA-512:FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|W..|W..|W...W..|Wt..W..|W...W..|W...W..|W...W..|W...W..|W..}W9.|W...W..|W...W..|W..W..|W...W..|WRich..|W........PE..L....9.e.....................v....................@.................................. ....@..................................g.......@...j..........."..P,..............................................@............................................text...z........................... ..`.rdata..............................@..@.data............T..................@....rsrc....j...@...l..................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-G796Q.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4311160
                                                                                                                                                                            Entropy (8bit):7.980526290879143
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:IUhXP8QOfBY4E85J1s6S0HIte1adV2tvXG2RWUGT2/zpexUhqG:XhXP89J02G/FQUdEvXFTrpphqG
                                                                                                                                                                            MD5:A6A41878AED135EBC51B899EE57F81BD
                                                                                                                                                                            SHA1:7E3988FFCB7DCE02031B2EB65BEFA968D94E18B9
                                                                                                                                                                            SHA-256:C7D28D502B476388E14F362A209D6F4BBD7E7DA993725A9166AFA746814C6942
                                                                                                                                                                            SHA-512:3D692AC2711D4A02F5D481F763C3B0706A18683426A02E3461E677804DFB238BAF97666137C7F869B613AA510FDC5A04EFD2425B914BD23A113D8C1791C8DA6C
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`......Y4B...@.................................4........@..P.............A.........d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc...P....@......................@..@.reloc..2....P......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-H6PSO.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1096224
                                                                                                                                                                            Entropy (8bit):6.826758378910142
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:12288:qB613t1V9A+Tac0RDffXJjyYp88oNHSy5viczGMwP2FC1Wf3VfXJjyNpor:UG1k+2DR7BWYp88o44HP9BWNpor
                                                                                                                                                                            MD5:90B27B057D16422ACED7DBF4CF8995AA
                                                                                                                                                                            SHA1:0DE3BDE3E1DFA1CAD7363F8091242121BC71A5DA
                                                                                                                                                                            SHA-256:97147A56EB2B9A9DC60F149AE574531FB22E39B9C820F2E2A3E0AF38D56BF1DC
                                                                                                                                                                            SHA-512:FAB574629B5028ABB290788AF35CFBE16A7DA617FBFE198634C07B7B2D7BAAA9BF8BDDEBC3A431D0357B3303BF118A43DC02E766E6049571E8A054464F5349D6
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c............"...0......(.......<... ...@....@.. ....................................`..................................;..O....@..(%...........H.. r...........:..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(%...@...&... ..............@..@.reloc...............F..............@..B.................;......H.......4;..................V............................................{8...*..{9...*..{:...*..{;...*..{<...*..{=...*..{>...*..{?...*..{@...*..{A...*..{B...*.0..\........(C.....}8.....}9.....}:......};......}<......}=......}>......}?......}@......}A......}B...*.0...........u.......;.....9....(D....{8....{8...oE...9....(F....{9....{9...oG...9....(H....{:....{:...oI...9....(J....{;....{;...oK...9....(L....{<....{<...oM...9....(N....{=....{=...oO...,w(P....{>....{>...oQ...,_(

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-IOLM1.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1852343
                                                                                                                                                                            Entropy (8bit):7.992987797929006
                                                                                                                                                                            Encrypted:true
                                                                                                                                                                            SSDEEP:49152:8fPgbXOkVdIH8r1c1DitzO+GkXVWJoJz3:j6+dIH8r1YKi+G4VOE7
                                                                                                                                                                            MD5:1A6CB299E629634260182F26F7C0661F
                                                                                                                                                                            SHA1:851BDB0768062380951A6C429DE9D0497649AE76
                                                                                                                                                                            SHA-256:B4419DBDB3A5417AE9E39037B5AF1FE075FCAD656C12E1D8C5B822EEA6E72C19
                                                                                                                                                                            SHA-512:FC85211C8C16CB5AC0C36FEFF7273FA40A9D2C040B9CE6F5C2B5D9ABFABEC1CE21619B15E73863E67E5D18E4521018C9EFC287908E4B2F4D1F96AC29DC414FA2
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........@............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...@............z..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K1PBH.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2928656
                                                                                                                                                                            Entropy (8bit):7.801050631407657
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:ItR906umMr2gLi03MyyrDDfaDXT/51tS7+3ICGd50ygYi5e6I2apCT:It30rmhQp3MxnaDXTj94PdClDOe
                                                                                                                                                                            MD5:146EA26DF8192F1E0DC560E292270461
                                                                                                                                                                            SHA1:C01148F924CC878885F760FB3F8DAFBA5D3BFCCD
                                                                                                                                                                            SHA-256:CD06EC5230853CB39C9786B680FDA7A0755673E9F21339C0DC7AF6A9B2D2BAD7
                                                                                                                                                                            SHA-512:624A4C945A8528CC141C7B1A3C3F158457508E71BC457A5F154AAC2DDC118B74D8BA2E8E0F72284D69E8B2854674594193ADA2E4956F6A6161F8A281F1CBA1F1
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@...3............@.......................... .......6-...@.............................................P&............,.p............................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...@...............................rsrc...P&.......(..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-K6GSK.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4758456
                                                                                                                                                                            Entropy (8bit):7.9868993000639845
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:EIztAOnrDbONTcfRkAtNpf3oGEUa1E0roN0fcDUcfHySM:piOHscGINSGEUa1pa00DUlSM
                                                                                                                                                                            MD5:E4E292C563B51EB8AC526103A736AA9F
                                                                                                                                                                            SHA1:52CEDF2CCBE9816DD71E25785F3C227C88A97E82
                                                                                                                                                                            SHA-256:8699D7890F44CA0A7FA44796886DD9129D2F621D15E78043667D7A8E297F4908
                                                                                                                                                                            SHA-512:DA0B5F202A774133914C2C85598F27FE46DEB5520C533F030B9DC4FE89C6CA66B4143D826E13206070B82C6F50124F5879B12D25CCB3B170AFEE61C4EE39C050
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@.................................H.H...@......@...................................................yH..!...........................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc................(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-KC8UJ.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6100183
                                                                                                                                                                            Entropy (8bit):7.970907477115673
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:5RumfOlbeaEnjdEqiPR6ppmLAnjbg8iFoCKjYjtgCVnZrdVmDJiFq9kg22LU:5Ru9Ve9xEqM6Hm2bg8kKCRFmDJIikx
                                                                                                                                                                            MD5:50CC3FC19ED36031A5B9A49365DFC6BF
                                                                                                                                                                            SHA1:51032E78848970154558690C4B76D2E6C017143B
                                                                                                                                                                            SHA-256:16BC5778331435D0CB76A9ABD49933BA64B09F79B5C0151AD1DA3192B78159CC
                                                                                                                                                                            SHA-512:73B02C2F13BDF9DFF99ED3F9DF3F2C376BED80FD471430111AFD414CAC27CAD21DBE4EE20FBD78F9E63C354FFA47E4AE23396E41723C7A9076D25D33A680FC43
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:-;AV-9AT:;US$..h.J..l$..$.@<$.!.4/.89.H..$).$m.Hm...hl..;.H.8H0.E. .E...EnH..\..llH.....ll.DH@...6.A.6...TW..A...N..v.bQQ..J~CQ..e0.x=.j.Fc...ll=..&.....lQ.."B..dn..Qv.bQ...H+..h.......*.E...=.Z....=........lQ..6...{n..Qm.J.c.#nl.=.N........E]..z...=o..jc...ll=..\..b..lQ...0..Qn..Q05 2c..nl..%...Q.GNdc.Rml.=.Z..c.6.ll=.>.......lQ..h..q.....GNd.....=.j.F..;..lQ.&.+...n..QKa."c....i...l.H.c..............>..Ac(.Q:..lf..>...!....\.Ac).....Q....c..nl.=K...c...ll=T;...........rl..$m..........c.......-.\YL^Ac(..Q...lf...-....x.l..Qh...c..nl.=..xc...ll=..{..T...$.. .../o.....(H+.i...l.H.c.............&..D..=.ql...m.J.cM.c..0.cE.....Q..Mp...n..Qb.Lc.jnl....N.)].....iJ.ll.Hmc............. A...J-.D..=(ql..c..A.b.L-.M.\.Ac).E]......H,.......'...D..k...H.. ......l......V....i...l.H.c...............D..=.pl.......cM.c..0.cE.p...$.. ...|n....J.G..N..c(.....i~.ll.Hmc...........>..A...!p-.D..=\pl....Rh.cM.c..0.-.E........Z......$..L.L.(H0.An..$..L...nl.D..(H

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MKCEE.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):411229
                                                                                                                                                                            Entropy (8bit):6.71411131429597
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:s1eE0EVdcrCZPTlQU7NlTsCdASeMZlrATFCGgcydE4ktEjL7e9ZOAhhK:5Enc8PThlTzlZJATFGdSAYE
                                                                                                                                                                            MD5:2BF457117F9FA04E13B9F2C8B90AF971
                                                                                                                                                                            SHA1:7143EEAB861D2FE155FDEA658635CBC922BEA3C1
                                                                                                                                                                            SHA-256:F1AED998EA3CF49D090F3865EA990601A44C17D3353387B0B3E1892F2F4D06AD
                                                                                                                                                                            SHA-512:D0A5076C85DAE0BB2DC2D9B937B6A77AD97ACDC710667E87CAADD47917989CEF70FA2EC5E2002C5D0D49C75EB43966C9C0D595DFAD25C467770C8A8E2685DF1E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:9..HSV;...ll..b.E.....l.E..4<.....ll.....jk53..9......To...ti.,h.\l...<j..9...t8.u......l..t(....p.ll...[.E...P..ll.Y..8..l.s(_.SS.....9.S.mW..?j.........n_._27..9..)h]...0.ll...o......-<V....T..Nol.Y2.U..=S...U.:;.CPo...........@...O...".O............llY.....9...D..u._.@32[._..9....V...ll...9.....F`.......l.M.?;..<...9....2..Ro....M..W.t;...%.{..ys.A<.(.xo....GH..,..h.M....o....o..no.P.).Q.<..!........G.c(.Wl....u..U..* ..x.Md.u........37^.9....S.U.GY4...ll......l.ll....M..-...c..ll.V;.1..d......<....9.t.....kIf...........f%.cl..p\.:.....g..c..mp2.E...m.......l....|f.h^...nXfW.u....llf.p^.}...Zo..}...u..M..-..9....!..-h..c.k..._^7..U..|.A.?:W..x.U....llf.*H.~D..._....c.........a.o.......l.........u.WM..;.V|.B<.(.xo..E..x$.$ ..o.tP.1.._..r...c..9...........o...o).F.r.....u..V.W).tp.....u..6.....c.h...3.32[..E.c...,p......o...?:W......h.......s....jY..c..ll.h@..0..j....F.5..t.............*dY...`hB..@.......F.5..t&..r..........

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MME84.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1527528
                                                                                                                                                                            Entropy (8bit):6.6753627354933744
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:+JOglUaWQcgBX4pa4SLLsQ+VWiDx6F/kvXTG860PvmeCI:+kyWEBi0Q7WiZXTLPueCI
                                                                                                                                                                            MD5:406649A8EBDBEE64943B69C2B49248C8
                                                                                                                                                                            SHA1:03D2BC4FA3335ED2790E9DEB2683C193BC93FF14
                                                                                                                                                                            SHA-256:04F0B3427F1C9B374BD1266ACAB80EB5C763F4196E4ACDDE195AD79396BF5D5B
                                                                                                                                                                            SHA-512:FBD7F6AEC8B84C22E9DB3B14CC3E1E3AA22FA03A16296B4185EEA1FF2343DDB449A8CEF580870942FDA8B25276A314E6722A811CD6C451A8ACC8C80A2BA021A5
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............|W..|W..|W...W..|Wt..W..|W...W..|W...W..|W...W..|W...W..|W..}W9.|W...W..|W...W..|W..W..|W...W..|WRich..|W........PE..L....9.e.....................v....................@.................................. ....@..................................g.......@...j..........."..P,..............................................@............................................text...z........................... ..`.rdata..............................@..@.data............T..................@....rsrc....j...@...l..................@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-MVSHD.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2133356
                                                                                                                                                                            Entropy (8bit):7.958858034406502
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:hEm1GGw/Zh77JiahbzAhYvyBgNJNAh6gc+h66Jku9ZpD+V+sYogi6u:hESIRhhikzvyGNJNAh6gl66j7snVR
                                                                                                                                                                            MD5:CE1B25AFC637CD65CA2073ED4CAA0F89
                                                                                                                                                                            SHA1:DF63FFF356F10CC91817C287C155A2936603DBE2
                                                                                                                                                                            SHA-256:FB11CDF43004A2501A8A550D333127C0076FEE06C4D7764A9EDCE100158C9874
                                                                                                                                                                            SHA-512:E546CB491563F4744971656D0FA0D989132BCED70B62620A7A569F22BE3A61892E15A64B47B7DAB814D2EE0963CF3141A1322E6608A5501AC0458DD877EB1328
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>=?Lz\Q.z\Q.z\Q..@_.h\Q..C[.E\Q.z\Q.y\Q..CB.s\Q.z\P..\Q.|.Z.{\Q..CZ.n\Q..ZW.{\Q.Richz\Q.........PE..L......=.....................`.......I............@............................................................................d.......................................................................................|............................text............................... ..`.rdata........... ..................@..@.data....'....... ..................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-OIH7N.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):6603672
                                                                                                                                                                            Entropy (8bit):7.865075735815504
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:196608:NAytnH/3fbFaZtxD+snNf+TNa7QXaVHMeq6R9dTa27:iyt3OUZEfHMidH
                                                                                                                                                                            MD5:5015AF231898F219B9449875055BD991
                                                                                                                                                                            SHA1:8776F311ACBB9AD29B7AF7C5B1ACCDAB33AB3166
                                                                                                                                                                            SHA-256:DA90259734B79DFA1DC1BB104B0099DC16831B42A3D27BB4397C48E879577455
                                                                                                                                                                            SHA-512:B94B81BA856E3F6CB4703BB8CAAA62FC5A91F4227BC984E30A75811D86AC13BCD66593219C6282141141ED186F331FCE87494EC0196D35E35147DA7859FA9AA1
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...Ii.Ii.Ii..1j.Ii..1l.TIi..j.Ii..m.Ii..l..Ii..1m.Ii..1o.Ii..1h.Ii.Ih.Ki...`..Ii...l.Ii....Ii.I..Ii...k.Ii.Rich.Ii.........PE..L...S.dg...............).D...LT..............`....@...........................f..... Qe...@.................................L6..T........dP...........d../...`e............................@.......@...@............`..x............................text...lC.......D.................. ..`.rdata.......`.......H..............@..@.data........`...>...D..............@....rsrc....dP......fP.................@..@.reloc......`e.......c.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-P1BFE.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):1095248
                                                                                                                                                                            Entropy (8bit):7.3847854536731194
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:24576:Z+8FYDQIdsIi3ZVmrdZvGk6Vl5WCu36ivyh9cuiJh/G5L73oH:YtuZERsk6n5WCQLucq3oH
                                                                                                                                                                            MD5:839A48C3AFC914A5627B5F68D5332AFF
                                                                                                                                                                            SHA1:CA8E9D49A598AD614E8861E31DDCECCA3C8ABB4A
                                                                                                                                                                            SHA-256:4F856B9B0940C7627CC13329E5B9B99A21EDD1AB466DABD53241077C0F6353D2
                                                                                                                                                                            SHA-512:ED699354E851860F62C113F0F419C61D95395E3FB8F441C9BEC7A3F47CE2449930B23627463284E00B8D536A1F9C576C5956DD4555343C3179F73B5C1FE87D00
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 10%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(w..(w..(w....."w...T...w...T..)w..;..*w.....=w..(w..\u..-{..4w..-{..w..-{...w...|.)w..-{.)w..Rich(w..................PE..L...K..N.................P...................`....@............................................................................,.... ..................P............f...............................................`......\...@....................text....M.......P.................. ..`.rdata...D...`...P...`..............@..@.data...4g.......0..................@....rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmp

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):3275912
                                                                                                                                                                            Entropy (8bit):6.704682677119929
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:RI01naSsx4G5NT+NLHBTkBGm5sebVCfT9TT6S0mxf+Q0d:bG5NKN6nh86Lmxfyd
                                                                                                                                                                            MD5:3909D43C55B62C3AC16D2843A63F857B
                                                                                                                                                                            SHA1:A6879E7DB07033B7908D34DA720C39A45613EEE5
                                                                                                                                                                            SHA-256:A7D833EEE668FBB9EC815B71845A3C434E77AE3CF7ECCD91C60C3F109C5181E1
                                                                                                                                                                            SHA-512:9978946EB01CDB898C915D77A7D1818A2B17C7C851D07432FA667E80C1F19F35F057150E9822B3A0E4DD6706C6C79E835479487662339FEF08C0A0B09E0521A0
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Yara Hits:
                                                                                                                                                                            • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\5927.2.15.32233\is-VF533.tmp, Author: Joe Security
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....U.d.................J%..........Y%......`%...@...........................2.....y.2..........@............................'..A....*.G0............1.......'.0............................p'.....................0.'......P'......................text...0.%......0%................. ..`.itext.......@%......4%............. ..`.data...L....`%......N%.............@....bss.....p....&......l&..................idata...A....'..B...l&.............@....didata......P'.......&.............@....tls....@....`'.......&..................rdata.......p'.......&.............@..@.reloc..0.....'.......&.............@..B.rsrc...G0....*..2....).............@..@..............6.......5.............@..@........................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\j ..H_7.4.0_1735612174.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2928656
                                                                                                                                                                            Entropy (8bit):7.801050631407657
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:ItR906umMr2gLi03MyyrDDfaDXT/51tS7+3ICGd50ygYi5e6I2apCT:It30rmhQp3MxnaDXTj94PdClDOe
                                                                                                                                                                            MD5:146EA26DF8192F1E0DC560E292270461
                                                                                                                                                                            SHA1:C01148F924CC878885F760FB3F8DAFBA5D3BFCCD
                                                                                                                                                                            SHA-256:CD06EC5230853CB39C9786B680FDA7A0755673E9F21339C0DC7AF6A9B2D2BAD7
                                                                                                                                                                            SHA-512:624A4C945A8528CC141C7B1A3C3F158457508E71BC457A5F154AAC2DDC118B74D8BA2E8E0F72284D69E8B2854674594193ADA2E4956F6A6161F8A281F1CBA1F1
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@...3............@.......................... .......6-...@.............................................P&............,.p............................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...@...............................rsrc...P&.......(..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\libaw.dat (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):411229
                                                                                                                                                                            Entropy (8bit):6.71411131429597
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:s1eE0EVdcrCZPTlQU7NlTsCdASeMZlrATFCGgcydE4ktEjL7e9ZOAhhK:5Enc8PThlTzlZJATFGdSAYE
                                                                                                                                                                            MD5:2BF457117F9FA04E13B9F2C8B90AF971
                                                                                                                                                                            SHA1:7143EEAB861D2FE155FDEA658635CBC922BEA3C1
                                                                                                                                                                            SHA-256:F1AED998EA3CF49D090F3865EA990601A44C17D3353387B0B3E1892F2F4D06AD
                                                                                                                                                                            SHA-512:D0A5076C85DAE0BB2DC2D9B937B6A77AD97ACDC710667E87CAADD47917989CEF70FA2EC5E2002C5D0D49C75EB43966C9C0D595DFAD25C467770C8A8E2685DF1E
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:9..HSV;...ll..b.E.....l.E..4<.....ll.....jk53..9......To...ti.,h.\l...<j..9...t8.u......l..t(....p.ll...[.E...P..ll.Y..8..l.s(_.SS.....9.S.mW..?j.........n_._27..9..)h]...0.ll...o......-<V....T..Nol.Y2.U..=S...U.:;.CPo...........@...O...".O............llY.....9...D..u._.@32[._..9....V...ll...9.....F`.......l.M.?;..<...9....2..Ro....M..W.t;...%.{..ys.A<.(.xo....GH..,..h.M....o....o..no.P.).Q.<..!........G.c(.Wl....u..U..* ..x.Md.u........37^.9....S.U.GY4...ll......l.ll....M..-...c..ll.V;.1..d......<....9.t.....kIf...........f%.cl..p\.:.....g..c..mp2.E...m.......l....|f.h^...nXfW.u....llf.p^.}...Zo..}...u..M..-..9....!..-h..c.k..._^7..U..|.A.?:W..x.U....llf.*H.~D..._....c.........a.o.......l.........u.WM..;.V|.B<.(.xo..E..x$.$ ..o.tP.1.._..r...c..9...........o...o).F.r.....u..V.W).tp.....u..6.....c.h...3.32[..E.c...,p......o...?:W......h.......s....jY..c..ll.h@..0..j....F.5..t.............*dY...`hB..@.......F.5..t&..r..........

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):2170952
                                                                                                                                                                            Entropy (8bit):6.555833138686776
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:49152:kMLPHrldaIVplxcLm3J4Xn1syCZA/zIWTm2bB5XTAndMQJIV4y:S6vh2bzcndjoj
                                                                                                                                                                            MD5:7D81D10AA526A9F85DC4C4670AD7BDB3
                                                                                                                                                                            SHA1:9F9AF5D9E70D901065104FE07291FB2354793ECE
                                                                                                                                                                            SHA-256:70CDA5C9A8095D618F96B3BA330892A7A902CDCD9F9530E82F9CB6DCA5B8AC89
                                                                                                                                                                            SHA-512:CE4C62D235FA3A23E93508D5F2F7157A45159F1C5DD6DCB24E6FE1ED9FC6F0D4AD8B5884A2304A58B2D56DF57E9CADDD206F512AC8E518E93A3CC46506A34E80
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                            Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$........O..U.n.U.n.U.n..\k...n..R.._.n..Rj.F.n..Rk.:.n..Rm._.n..\m.E.n..\j.u.n..[j...n.\V..W.n..[k.T.n..@m.T.n..@j.Y.n.U.n.Y.n..\h.T.n..[k.V.n.U.o../n..\o.J.n..Rg...n..Rn.T.n..R..T.n.U...W.n..Rl.T.n.RichU.n.................PE..d.....ud.........."....".....t.......(.........@..............................!.......!... .....................................................,.... .H\....... ............!.\...............................(.......@............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\..... .....................@..@.rsrc...H\... ..^..................@..@.reloc..\.....!.......!.............@..B................................................................................................................

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\pluginRepository.xml (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:data
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):240343
                                                                                                                                                                            Entropy (8bit):6.49164314704198
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:6144:8sSk7Ct4W8i5u9kKvYwVOX6IrO6rZpbeGI3:BSx8iwkKvh86dQZpb7I3
                                                                                                                                                                            MD5:57A0F4852EDDD8D4203B59FA9897DD21
                                                                                                                                                                            SHA1:B52B42AED913CCB7F53221B2EBD3382BE00D472E
                                                                                                                                                                            SHA-256:E7BBB4E10E44963ECD55ADB434CDFEB2096068D3A8CC0D82F2FCC7CFB8673CB6
                                                                                                                                                                            SHA-512:F5A52F8992BD238D75B12E52932C5531A3382C31FC8EFFEDCA4EAC5420F30DF8A9B7D744AFD548F723EDF71074192117B8A0956C85F6624CC8C7889B4C669DD7
                                                                                                                                                                            Malicious:false
                                                                                                                                                                            Preview:-;AV-9AT:;US$..h.J..l$..$.@<$.!.4/.89.H..$).$m.Hm...hl..;.H.8H0.E. .E...EnH..\..llH.....ll.DH@...6.A.6...TW..A...N..v.bQQ..J~CQ..e0.x=.j.Fc...ll=..&.....lQ.."B..dn..Qv.bQ...H+..h.......*.E...=.Z....=........lQ..6...{n..Qm.J.c.#nl.=.N........E]..z...=o..jc...ll=..\..b..lQ...0..Qn..Q05 2c..nl..%...Q.GNdc.Rml.=.Z..c.6.ll=.>.......lQ..h..q.....GNd.....=.j.F..;..lQ.&.+...n..QKa."c....i...l.H.c..............>..Ac(.Q:..lf..>...!....\.Ac).....Q....c..nl.=K...c...ll=T;...........rl..$m..........c.......-.\YL^Ac(..Q...lf...-....x.l..Qh...c..nl.=..xc...ll=..{..T...$.. .../o.....(H+.i...l.H.c.............&..D..=.ql...m.J.cM.c..0.cE.....Q..Mp...n..Qb.Lc.jnl....N.)].....iJ.ll.Hmc............. A...J-.D..=(ql..c..A.b.L-.M.\.Ac).E]......H,.......'...D..k...H.. ......l......V....i...l.H.c...............D..=.pl.......cM.c..0.cE.p...$.. ...|n....J.G..N..c(.....i~.ll.Hmc...........>..A...!p-.D..=\pl....Rh.cM.c..0.-.E........Z......$..L.L.(H0.An..$..L...nl.D..(H

                                                                                                                                                                            C:\Users\user\AppData\Roaming\5927.2.15.32233\w.)...exe (copy)

                                                                                                                                                                            Download File
                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Category:dropped
                                                                                                                                                                            Size (bytes):4311160
                                                                                                                                                                            Entropy (8bit):7.980526290879143
                                                                                                                                                                            Encrypted:false
                                                                                                                                                                            SSDEEP:98304:IUhXP8QOfBY4E85J1s6S0HIte1adV2tvXG2RWUGT2/zpexUhqG:XhXP89J02G/FQUdEvXFTrpphqG
                                                                                                                                                                            MD5:A6A41878AED135EBC51B899EE57F81BD
                                                                                                                                                                            SHA1:7E3988FFCB7DCE02031B2EB65BEFA968D94E18B9
                                                                                                                                                                            SHA-256:C7D28D502B476388E14F362A209D6F4BBD7E7DA993725A9166AFA746814C6942
                                                                                                                                                                            SHA-512:3D692AC2711D4A02F5D481F763C3B0706A18683426A02E3461E677804DFB238BAF97666137C7F869B613AA510FDC5A04EFD2425B914BD23A113D8C1791C8DA6C
                                                                                                                                                                            Malicious:true
                                                                                                                                                                            Antivirus:
                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 29%
                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`......Y4B...@.................................4........@..P.............A.........d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc...P....@......................@..@.reloc..2....P......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                            Static File Info

                                                                                                                                                                            General

                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                            Entropy (8bit):7.99671009739063
                                                                                                                                                                            TrID:
                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                            File name:hGlhyegaG6.exe
                                                                                                                                                                            File size:33'266'825 bytes
                                                                                                                                                                            MD5:7915b71dd31bd2c6f7a6bba943525920
                                                                                                                                                                            SHA1:0eda1ff79008761704bf522162accb687894a965
                                                                                                                                                                            SHA256:baf42171b1fc708641b1214b78090ff6b95c2f1dfcc3789b322831b5b811eb9d
                                                                                                                                                                            SHA512:547105439ab77dee34dec4cf4c2d1e92c47b2e431907eda479f3d85f10ac22be024bb5421d36447f4a79f8f861d5573ebbcb67414620e97c7315f2b85597e195
                                                                                                                                                                            SSDEEP:786432:Ivr1A/grfvGnjcELFbyzrtWiDdctmqqeq/dWqC/AIq:I1Q4W3UtPDdSq/aoJ
                                                                                                                                                                            TLSH:387733237287E53EE56E0B3605B2B21944FF7661A422BD26CBF444BCCF264905F2D74A
                                                                                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                            File Icon

                                                                                                                                                                            Icon Hash:f0ccf4d4ccecf871

                                                                                                                                                                            Static PE Info

                                                                                                                                                                            General

                                                                                                                                                                            Entrypoint:0x4a83bc
                                                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                            File Version Major:6
                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                                                                                                                                            Instruction
                                                                                                                                                                            push ebp
                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                            add esp, FFFFFFA4h
                                                                                                                                                                            push ebx
                                                                                                                                                                            push esi
                                                                                                                                                                            push edi
                                                                                                                                                                            xor eax, eax
                                                                                                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                            mov dword ptr [ebp-40h], eax
                                                                                                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                            mov dword ptr [ebp-30h], eax
                                                                                                                                                                            mov dword ptr [ebp-38h], eax
                                                                                                                                                                            mov dword ptr [ebp-34h], eax
                                                                                                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                            mov dword ptr [ebp-28h], eax
                                                                                                                                                                            mov dword ptr [ebp-14h], eax
                                                                                                                                                                            mov eax, 004A2EBCh
                                                                                                                                                                            call 00007F57D0651D95h
                                                                                                                                                                            xor eax, eax
                                                                                                                                                                            push ebp
                                                                                                                                                                            push 004A8AC1h
                                                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                                                            xor edx, edx
                                                                                                                                                                            push ebp
                                                                                                                                                                            push 004A8A7Bh
                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                            mov eax, dword ptr [004B0634h]
                                                                                                                                                                            call 00007F57D06E371Bh
                                                                                                                                                                            call 00007F57D06E326Eh
                                                                                                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                                                                                                            xor eax, eax
                                                                                                                                                                            call 00007F57D06DDF48h
                                                                                                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                                                                                                            mov eax, 004B41F4h
                                                                                                                                                                            call 00007F57D064BE43h
                                                                                                                                                                            push 00000002h
                                                                                                                                                                            push 00000000h
                                                                                                                                                                            push 00000001h
                                                                                                                                                                            mov ecx, dword ptr [004B41F4h]
                                                                                                                                                                            mov dl, 01h
                                                                                                                                                                            mov eax, dword ptr [0049CD14h]
                                                                                                                                                                            call 00007F57D06DF273h
                                                                                                                                                                            mov dword ptr [004B41F8h], eax
                                                                                                                                                                            xor edx, edx
                                                                                                                                                                            push ebp
                                                                                                                                                                            push 004A8A27h
                                                                                                                                                                            push dword ptr fs:[edx]
                                                                                                                                                                            mov dword ptr fs:[edx], esp
                                                                                                                                                                            call 00007F57D06E37A3h
                                                                                                                                                                            mov dword ptr [004B4200h], eax
                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                            jne 00007F57D06EA48Ah
                                                                                                                                                                            mov eax, dword ptr [004B4200h]
                                                                                                                                                                            mov edx, 00000028h
                                                                                                                                                                            call 00007F57D06DFB68h
                                                                                                                                                                            mov edx, dword ptr [004B4200h]
                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x13d7c.rsrc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                            Sections

                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                            .rsrc0xcb0000x13d7c0x13e00bcf1d506b69abcd88579fe6d65479c17False0.5466784591194969data6.5279729599424385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                            RT_ICON0xcb4380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.5932213415355495
                                                                                                                                                                            RT_STRING0xdbc600x3f8data0.3198818897637795
                                                                                                                                                                            RT_STRING0xdc0580x2dcdata0.36475409836065575
                                                                                                                                                                            RT_STRING0xdc3340x430data0.40578358208955223
                                                                                                                                                                            RT_STRING0xdc7640x44cdata0.38636363636363635
                                                                                                                                                                            RT_STRING0xdcbb00x2d4data0.39226519337016574
                                                                                                                                                                            RT_STRING0xdce840xb8data0.6467391304347826
                                                                                                                                                                            RT_STRING0xdcf3c0x9cdata0.6410256410256411
                                                                                                                                                                            RT_STRING0xdcfd80x374data0.4230769230769231
                                                                                                                                                                            RT_STRING0xdd34c0x398data0.3358695652173913
                                                                                                                                                                            RT_STRING0xdd6e40x368data0.3795871559633027
                                                                                                                                                                            RT_STRING0xdda4c0x2a4data0.4275147928994083
                                                                                                                                                                            RT_RCDATA0xddcf00x10data1.5
                                                                                                                                                                            RT_RCDATA0xddd000x310data0.6173469387755102
                                                                                                                                                                            RT_RCDATA0xde0100x2cdata1.1818181818181819
                                                                                                                                                                            RT_GROUP_ICON0xde03c0x14dataEnglishUnited States1.25
                                                                                                                                                                            RT_VERSION0xde0500x584dataEnglishUnited States0.24858356940509915
                                                                                                                                                                            RT_MANIFEST0xde5d40x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                                                                                                                                            DLLImport
                                                                                                                                                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                            comctl32.dllInitCommonControls
                                                                                                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                            __dbk_fcall_wrapper20x40fc10
                                                                                                                                                                            dbkFCallWrapperAddr10x4b063c
                                                                                                                                                                            DescriptionData
                                                                                                                                                                            CommentsThis installation was built with Inno Setup.
                                                                                                                                                                            CompanyName
                                                                                                                                                                            FileDescription7.2.15.3 Setup
                                                                                                                                                                            FileVersion
                                                                                                                                                                            LegalCopyright
                                                                                                                                                                            OriginalFileName
                                                                                                                                                                            ProductName7.2.15.3
                                                                                                                                                                            ProductVersion7.2.15.3
                                                                                                                                                                            Translation0x0000 0x04b0

                                                                                                                                                                            Possible Origin

                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                            EnglishUnited States

                                                                                                                                                                            Network Behavior

                                                                                                                                                                            Download Network PCAP: filteredfull

                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                            • Total Packets: 50
                                                                                                                                                                            • 443 (HTTPS)
                                                                                                                                                                            • 53 (DNS)
                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Feb 27, 2025 18:21:34.891890049 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:34.891918898 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:34.891998053 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:34.919771910 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:34.919791937 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.636918068 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.636996984 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.637844086 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.637902975 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.648960114 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.648971081 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.649194002 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.652545929 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.695329905 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.897948980 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.898173094 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:35.898241043 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.905026913 CET49733443192.168.2.42.19.11.98
                                                                                                                                                                            Feb 27, 2025 18:21:35.905062914 CET443497332.19.11.98192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.981259108 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.981281042 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.981384039 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.982131958 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.982181072 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.982253075 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.982615948 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.982631922 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.982647896 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.982669115 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.997062922 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.997085094 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.997149944 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.997514009 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:36.997528076 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.027621031 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.027653933 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.027745008 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.028078079 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.028093100 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.460535049 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.460608006 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.461105108 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.461168051 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.463452101 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.463463068 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.463879108 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.464469910 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.464479923 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.464864016 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.464925051 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.465536118 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.472111940 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.472232103 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.474076986 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.474087000 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.474385977 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.475018978 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.507334948 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.507337093 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.510499001 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.510706902 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.515331030 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.525537968 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.525563955 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.525825977 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.539061069 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.579339981 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.585026979 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.585278988 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.585335970 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.585829973 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.585916996 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.585961103 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.589631081 CET49735443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.589648962 CET4434973534.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.601927996 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.601994991 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.602041960 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.625334024 CET49734443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:37.625349998 CET4434973434.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.665874004 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.665942907 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.666001081 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:38.008590937 CET49737443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:38.008627892 CET4434973734.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:38.168984890 CET49736443192.168.2.434.117.223.223
                                                                                                                                                                            Feb 27, 2025 18:21:38.169024944 CET4434973634.117.223.223192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:42.199063063 CET6067653192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:42.204165936 CET53606761.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:42.204237938 CET6067653192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:42.209434986 CET53606761.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:42.653676033 CET6067653192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:42.658864021 CET53606761.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:42.658941984 CET6067653192.168.2.41.1.1.1
                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                            Feb 27, 2025 18:21:34.865267992 CET5667553192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:34.874691010 CET53566751.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.973237038 CET5667953192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:36.973237038 CET5667853192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:36.980290890 CET53566791.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.980874062 CET53566781.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:36.988529921 CET5668253192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:36.996118069 CET53566821.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:37.019887924 CET5668453192.168.2.41.1.1.1
                                                                                                                                                                            Feb 27, 2025 18:21:37.026649952 CET53566841.1.1.1192.168.2.4
                                                                                                                                                                            Feb 27, 2025 18:21:42.198699951 CET53646661.1.1.1192.168.2.4

                                                                                                                                                                            DNS Queries

                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                            Feb 27, 2025 18:21:34.865267992 CET192.168.2.41.1.1.10x7580Standard query (0)s-overseer.avcdn.netA (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.973237038 CET192.168.2.41.1.1.10x964fStandard query (0)v7event.stats.avast.comA (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.973237038 CET192.168.2.41.1.1.10x3c8aStandard query (0)analytics.ff.avast.comA (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.988529921 CET192.168.2.41.1.1.10x4cd4Standard query (0)v7event.stats.avast.comA (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:37.019887924 CET192.168.2.41.1.1.10x4d1fStandard query (0)analytics.ff.avast.comA (IP address)IN (0x0001)false

                                                                                                                                                                            DNS Answers

                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                            Feb 27, 2025 18:21:34.874691010 CET1.1.1.1192.168.2.40x7580No error (0)s-overseer.avcdn.nets-overseer.avcdn.net.akamaized.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:34.874691010 CET1.1.1.1192.168.2.40x7580No error (0)s-overseer.avcdn.net.akamaized.neta366.dscd.akamai.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:34.874691010 CET1.1.1.1192.168.2.40x7580No error (0)a366.dscd.akamai.net2.19.11.98A (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:34.874691010 CET1.1.1.1192.168.2.40x7580No error (0)a366.dscd.akamai.net2.19.11.112A (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.980290890 CET1.1.1.1192.168.2.40x964fNo error (0)v7event.stats.avast.comanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.980290890 CET1.1.1.1192.168.2.40x964fNo error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.980290890 CET1.1.1.1192.168.2.40x964fNo error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.980874062 CET1.1.1.1192.168.2.40x3c8aNo error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.980874062 CET1.1.1.1192.168.2.40x3c8aNo error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.996118069 CET1.1.1.1192.168.2.40x4cd4No error (0)v7event.stats.avast.comanalytics.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.996118069 CET1.1.1.1192.168.2.40x4cd4No error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:36.996118069 CET1.1.1.1192.168.2.40x4cd4No error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:37.026649952 CET1.1.1.1192.168.2.40x4d1fNo error (0)analytics.ff.avast.comanalytics-prod-gcp.ff.avast.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                            Feb 27, 2025 18:21:37.026649952 CET1.1.1.1192.168.2.40x4d1fNo error (0)analytics-prod-gcp.ff.avast.com34.117.223.223A (IP address)IN (0x0001)false

                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                            • s-overseer.avcdn.net
                                                                                                                                                                            • analytics.ff.avast.com
                                                                                                                                                                            • v7event.stats.avast.com

                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            0192.168.2.4497332.19.11.984433992C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2025-02-27 17:21:35 UTC211OUTGET /tools/avg/overseer/x64/overseer.exe.def HTTP/1.1
                                                                                                                                                                            Host: s-overseer.avcdn.net
                                                                                                                                                                            User-Agent: libcurl/8.0.1-DEV Schannel zlib/1.2.11 c-ares/1.19.0 nghttp2/1.48.0
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            Accept-Encoding: deflate, gzip
                                                                                                                                                                            2025-02-27 17:21:35 UTC430INHTTP/1.1 200 OK
                                                                                                                                                                            Last-Modified: Tue, 01 Aug 2023 10:58:19 GMT
                                                                                                                                                                            ETag: "64c8e54b-364"
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                            x-cache-status: HIT
                                                                                                                                                                            x-origin-cache: vpsorigin-cache-re-prod-001.europe-west3-a.ppp-lopst-vpsorigin-10
                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                            Content-Length: 868
                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                            Cache-Control: max-age=11
                                                                                                                                                                            Expires: Thu, 27 Feb 2025 17:21:46 GMT
                                                                                                                                                                            Date: Thu, 27 Feb 2025 17:21:35 GMT
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2025-02-27 17:21:35 UTC868INData Raw: 5b 53 74 61 74 69 73 74 69 63 73 5d 0d 0a 49 61 76 73 3d 68 74 74 70 3a 2f 2f 76 37 65 76 65 6e 74 2e 73 74 61 74 73 2e 61 76 61 73 74 2e 63 6f 6d 2f 63 67 69 2d 62 69 6e 2f 69 61 76 73 65 76 65 6e 74 73 2e 63 67 69 0d 0a 0d 0a 5b 55 70 64 61 74 65 5d 0d 0a 4c 61 74 65 73 74 42 75 69 6c 64 3d 33 36 35 0d 0a 0d 0a 5b 55 70 64 61 74 65 2e 55 72 6c 2e 30 5d 0d 0a 4c 7a 6d 61 3d 68 74 74 70 3a 2f 2f 6f 76 65 72 73 65 65 72 2e 74 6f 6f 6c 73 2e 61 76 63 64 6e 2e 6e 65 74 2f 74 6f 6f 6c 73 2f 61 76 67 2f 6f 76 65 72 73 65 65 72 2f 78 36 34 2f 6f 76 65 72 73 65 65 72 2e 65 78 65 2e 33 36 35 2e 6c 7a 6d 61 0d 0a 43 61 62 69 6e 65 74 3d 68 74 74 70 3a 2f 2f 6f 76 65 72 73 65 65 72 2e 74 6f 6f 6c 73 2e 61 76 63 64 6e 2e 6e 65 74 2f 74 6f 6f 6c 73 2f 61 76 67 2f 6f
                                                                                                                                                                            Data Ascii: [Statistics]Iavs=http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi[Update]LatestBuild=365[Update.Url.0]Lzma=http://overseer.tools.avcdn.net/tools/avg/overseer/x64/overseer.exe.365.lzmaCabinet=http://overseer.tools.avcdn.net/tools/avg/o


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            1192.168.2.44973534.117.223.2234433992C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2025-02-27 17:21:37 UTC205OUTPOST /v4/receive/json/56 HTTP/1.1
                                                                                                                                                                            Host: analytics.ff.avast.com
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            Accept-Encoding: deflate, gzip
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            User-Agent: Overseer.214.478/x64.19045
                                                                                                                                                                            Content-Length: 402
                                                                                                                                                                            2025-02-27 17:21:37 UTC402OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 73 75 62 74 79 70 65 22 3a 31 2c 22 74 69 6d 65 22 3a 31 37 34 30 36 38 32 32 39 31 31 30 39 2c 22 74 79 70 65 22 3a 35 36 7d 2c 22 69 64 65 6e 74 69 74 79 22 3a 7b 22 67 75 69 64 22 3a 22 22 2c 22 68 77 69 64 22 3a 22 33 46 35 43 37 43 44 34 34 44 31 46 36 41 43 37 36 39 39 33 34 43 41 44 41 32 36 37 42 34 44 46 45 45 31 39 42 35 46 46 46 46 46 36 32 38 36 36 38 30 34 36 45 45 36 44 30 32 42 45 34 44 31 44 22 7d 2c 22 6f 76 65 72 73 65 65 72 22 3a 7b 22 61 63 74 69 6f 6e 22 3a 22 73 74 61 72 74 65 64 22 2c 22 72 65 73 75 6c 74 22 3a 22 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 39 36 38 38 32 32 31 36 2d 65 31 65 30 2d 34 62 66 61 2d 38 38 33 65 2d 32 36 39 35 61 33 36 39 31 62 61 38
                                                                                                                                                                            Data Ascii: {"record":[{"event":{"subtype":1,"time":1740682291109,"type":56},"identity":{"guid":"","hwid":"3F5C7CD44D1F6AC769934CADA267B4DFEE19B5FFFFF628668046EE6D02BE4D1D"},"overseer":{"action":"started","result":"","session_id":"96882216-e1e0-4bfa-883e-2695a3691ba8
                                                                                                                                                                            2025-02-27 17:21:37 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 27 Feb 2025 17:21:37 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Content-Length: 19
                                                                                                                                                                            Via: 1.1 google
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2025-02-27 17:21:37 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                                                                                                                                            Data Ascii: {"processed": true}


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            2192.168.2.44973634.117.223.2234433992C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2025-02-27 17:21:37 UTC246OUTPOST /cgi-bin/iavsevents.cgi HTTP/1.1
                                                                                                                                                                            Host: v7event.stats.avast.com
                                                                                                                                                                            User-Agent: libcurl/8.0.1-DEV Schannel zlib/1.2.11 c-ares/1.19.0 nghttp2/1.48.0
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            Accept-Encoding: deflate, gzip
                                                                                                                                                                            Content-Type: iavs4/stats
                                                                                                                                                                            Content-Length: 205
                                                                                                                                                                            2025-02-27 17:21:37 UTC205OUTData Raw: 65 64 69 74 69 6f 6e 3d 30 0a 65 76 65 6e 74 3d 6f 76 65 72 73 65 65 72 5f 66 69 6e 69 73 68 65 64 0a 65 78 65 5f 76 65 72 73 69 6f 6e 3d 31 2e 30 2e 34 37 38 2e 30 0a 6d 69 64 65 78 3d 33 46 35 43 37 43 44 34 34 44 31 46 36 41 43 37 36 39 39 33 34 43 41 44 41 32 36 37 42 34 44 46 45 45 31 39 42 35 46 46 46 46 46 36 32 38 36 36 38 30 34 36 45 45 36 44 30 32 42 45 34 44 31 44 0a 6f 73 3d 77 69 6e 2c 31 30 2c 30 2c 32 2c 31 39 30 34 35 2c 30 2c 41 4d 44 36 34 0a 73 74 61 74 5f 73 65 73 73 69 6f 6e 3d 39 36 38 38 32 32 31 36 2d 65 31 65 30 2d 34 62 66 61 2d 38 38 33 65 2d 32 36 39 35 61 33 36 39 31 62 61 38 0a
                                                                                                                                                                            Data Ascii: edition=0event=overseer_finishedexe_version=1.0.478.0midex=3F5C7CD44D1F6AC769934CADA267B4DFEE19B5FFFFF628668046EE6D02BE4D1Dos=win,10,0,2,19045,0,AMD64stat_session=96882216-e1e0-4bfa-883e-2695a3691ba8
                                                                                                                                                                            2025-02-27 17:21:37 UTC172INHTTP/1.1 204 No Content
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 27 Feb 2025 17:21:37 GMT
                                                                                                                                                                            Via: 1.1 google
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            3192.168.2.44973434.117.223.2234433992C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2025-02-27 17:21:37 UTC246OUTPOST /cgi-bin/iavsevents.cgi HTTP/1.1
                                                                                                                                                                            Host: v7event.stats.avast.com
                                                                                                                                                                            User-Agent: libcurl/8.0.1-DEV Schannel zlib/1.2.11 c-ares/1.19.0 nghttp2/1.48.0
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            Accept-Encoding: deflate, gzip
                                                                                                                                                                            Content-Type: iavs4/stats
                                                                                                                                                                            Content-Length: 204
                                                                                                                                                                            2025-02-27 17:21:37 UTC204OUTData Raw: 65 64 69 74 69 6f 6e 3d 30 0a 65 76 65 6e 74 3d 6f 76 65 72 73 65 65 72 5f 73 74 61 72 74 65 64 0a 65 78 65 5f 76 65 72 73 69 6f 6e 3d 31 2e 30 2e 34 37 38 2e 30 0a 6d 69 64 65 78 3d 33 46 35 43 37 43 44 34 34 44 31 46 36 41 43 37 36 39 39 33 34 43 41 44 41 32 36 37 42 34 44 46 45 45 31 39 42 35 46 46 46 46 46 36 32 38 36 36 38 30 34 36 45 45 36 44 30 32 42 45 34 44 31 44 0a 6f 73 3d 77 69 6e 2c 31 30 2c 30 2c 32 2c 31 39 30 34 35 2c 30 2c 41 4d 44 36 34 0a 73 74 61 74 5f 73 65 73 73 69 6f 6e 3d 39 36 38 38 32 32 31 36 2d 65 31 65 30 2d 34 62 66 61 2d 38 38 33 65 2d 32 36 39 35 61 33 36 39 31 62 61 38 0a
                                                                                                                                                                            Data Ascii: edition=0event=overseer_startedexe_version=1.0.478.0midex=3F5C7CD44D1F6AC769934CADA267B4DFEE19B5FFFFF628668046EE6D02BE4D1Dos=win,10,0,2,19045,0,AMD64stat_session=96882216-e1e0-4bfa-883e-2695a3691ba8
                                                                                                                                                                            2025-02-27 17:21:37 UTC172INHTTP/1.1 204 No Content
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 27 Feb 2025 17:21:37 GMT
                                                                                                                                                                            Via: 1.1 google
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close


                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                            4192.168.2.44973734.117.223.2234433992C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                            2025-02-27 17:21:37 UTC205OUTPOST /v4/receive/json/56 HTTP/1.1
                                                                                                                                                                            Host: analytics.ff.avast.com
                                                                                                                                                                            Accept: */*
                                                                                                                                                                            Accept-Encoding: deflate, gzip
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            User-Agent: Overseer.214.478/x64.19045
                                                                                                                                                                            Content-Length: 403
                                                                                                                                                                            2025-02-27 17:21:37 UTC403OUTData Raw: 7b 22 72 65 63 6f 72 64 22 3a 5b 7b 22 65 76 65 6e 74 22 3a 7b 22 73 75 62 74 79 70 65 22 3a 31 2c 22 74 69 6d 65 22 3a 31 37 34 30 36 38 32 32 39 31 31 37 32 2c 22 74 79 70 65 22 3a 35 36 7d 2c 22 69 64 65 6e 74 69 74 79 22 3a 7b 22 67 75 69 64 22 3a 22 22 2c 22 68 77 69 64 22 3a 22 33 46 35 43 37 43 44 34 34 44 31 46 36 41 43 37 36 39 39 33 34 43 41 44 41 32 36 37 42 34 44 46 45 45 31 39 42 35 46 46 46 46 46 36 32 38 36 36 38 30 34 36 45 45 36 44 30 32 42 45 34 44 31 44 22 7d 2c 22 6f 76 65 72 73 65 65 72 22 3a 7b 22 61 63 74 69 6f 6e 22 3a 22 66 69 6e 69 73 68 65 64 22 2c 22 72 65 73 75 6c 74 22 3a 22 22 2c 22 73 65 73 73 69 6f 6e 5f 69 64 22 3a 22 39 36 38 38 32 32 31 36 2d 65 31 65 30 2d 34 62 66 61 2d 38 38 33 65 2d 32 36 39 35 61 33 36 39 31 62 61
                                                                                                                                                                            Data Ascii: {"record":[{"event":{"subtype":1,"time":1740682291172,"type":56},"identity":{"guid":"","hwid":"3F5C7CD44D1F6AC769934CADA267B4DFEE19B5FFFFF628668046EE6D02BE4D1D"},"overseer":{"action":"finished","result":"","session_id":"96882216-e1e0-4bfa-883e-2695a3691ba
                                                                                                                                                                            2025-02-27 17:21:37 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                            Server: nginx
                                                                                                                                                                            Date: Thu, 27 Feb 2025 17:21:37 GMT
                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                            Content-Length: 19
                                                                                                                                                                            Via: 1.1 google
                                                                                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                            Connection: close
                                                                                                                                                                            2025-02-27 17:21:37 UTC19INData Raw: 7b 22 70 72 6f 63 65 73 73 65 64 22 3a 20 74 72 75 65 7d
                                                                                                                                                                            Data Ascii: {"processed": true}


                                                                                                                                                                            Statistics

                                                                                                                                                                            CPU Usage

                                                                                                                                                                            0204060s020406080100

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            Memory Usage

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                            • File
                                                                                                                                                                            • Registry
                                                                                                                                                                            • Network

                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                            Behavior

                                                                                                                                                                            Click to jump to process

                                                                                                                                                                            System Behavior

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:0
                                                                                                                                                                            Start time:12:21:27
                                                                                                                                                                            Start date:27/02/2025
                                                                                                                                                                            Path:C:\Users\user\Desktop\hGlhyegaG6.exe
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\hGlhyegaG6.exe"
                                                                                                                                                                            Imagebase:0x8d0000
                                                                                                                                                                            File size:33'266'825 bytes
                                                                                                                                                                            MD5 hash:7915B71DD31BD2C6F7A6BBA943525920
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            File Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Section Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Registry Activities

                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Process Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Thread Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Memory Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            System Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Windows UI Activities

                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:1
                                                                                                                                                                            Start time:12:21:27
                                                                                                                                                                            Start date:27/02/2025
                                                                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp
                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-J21NL.tmp\hGlhyegaG6.tmp" /SL5="$30584,32291600,857600,C:\Users\user\Desktop\hGlhyegaG6.exe"
                                                                                                                                                                            Imagebase:0xc60000
                                                                                                                                                                            File size:3'347'968 bytes
                                                                                                                                                                            MD5 hash:6E8DE531DFA6FFD065F93E3902A1CB51
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            File Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Section Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Registry Activities

                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Process Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Thread Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Memory Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            System Activities

                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Windows UI Activities

                                                                                                                                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                            General

                                                                                                                                                                            Target ID:2
                                                                                                                                                                            Start time:12:21:33
                                                                                                                                                                            Start date:27/02/2025
                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe
                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\5927.2.15.32233\overseer.exe"
                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                            File size:2'170'952 bytes
                                                                                                                                                                            MD5 hash:7D81D10AA526A9F85DC4C4670AD7BDB3
                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                            Reputation:low
                                                                                                                                                                            Has exited:true
                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            File Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Section Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Registry Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Mutex Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Process Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Thread Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            Memory Activities

                                                                                                                                                                            Show Windows behavior

                                                                                                                                                                            System Activities

                                                                                                                                                                            Network Activities


                                                                                                                                                                            Disassembly

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1857272430.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Offset: 00565000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 25b:$25b:
                                                                                                                                                                            • API String ID: 0-1328518886
                                                                                                                                                                            • Opcode ID: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction ID: 667231c1d18cb8ff8a8090b115d3e08aafa068c32c27adc3efcb96aa37a62678
                                                                                                                                                                            • Opcode Fuzzy Hash: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0F26A95E7C08FD3035B249C251007F31AEA730071E85D78680DF5E3E5284C8A8B23
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1857272430.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Offset: 00558000, based on PE: false
                                                                                                                                                                            • Associated: 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 25b:$25b:
                                                                                                                                                                            • API String ID: 0-1328518886
                                                                                                                                                                            • Opcode ID: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction ID: 667231c1d18cb8ff8a8090b115d3e08aafa068c32c27adc3efcb96aa37a62678
                                                                                                                                                                            • Opcode Fuzzy Hash: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0F26A95E7C08FD3035B249C251007F31AEA730071E85D78680DF5E3E5284C8A8B23
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1857272430.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Offset: 00566000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 25b:$25b:
                                                                                                                                                                            • API String ID: 0-1328518886
                                                                                                                                                                            • Opcode ID: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction ID: 667231c1d18cb8ff8a8090b115d3e08aafa068c32c27adc3efcb96aa37a62678
                                                                                                                                                                            • Opcode Fuzzy Hash: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0F26A95E7C08FD3035B249C251007F31AEA730071E85D78680DF5E3E5284C8A8B23
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1857272430.0000000000565000.00000004.00000020.00020000.00000000.sdmp, Offset: 00569000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 25b:$25b:
                                                                                                                                                                            • API String ID: 0-1328518886
                                                                                                                                                                            • Opcode ID: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction ID: 667231c1d18cb8ff8a8090b115d3e08aafa068c32c27adc3efcb96aa37a62678
                                                                                                                                                                            • Opcode Fuzzy Hash: e9726782dad52ad2307eacf6277b021cccd0c9daa60b887694663c05a732a9fb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9BF0F26A95E7C08FD3035B249C251007F31AEA730071E85D78680DF5E3E5284C8A8B23
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000002.1859768233.0000000140001000.00000020.00000001.01000000.00000006.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                            • Associated: 00000002.00000002.1859747133.0000000140000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1859908357.0000000140180000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1859962480.00000001401E1000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1859987471.00000001401E3000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1860016053.00000001401E9000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1860016053.00000001401ED000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            • Associated: 00000002.00000002.1860071003.00000001401EE000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_2_140000000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 09f552162c86fe3cb9e43fb7bc09dc5dee6977ce023b12b422b91c45e495978d
                                                                                                                                                                            • Instruction ID: d30704f899d3f9e0ae29572ea7f576f3b9c5c459ef203dfb6ef42c077b99da0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 09f552162c86fe3cb9e43fb7bc09dc5dee6977ce023b12b422b91c45e495978d
                                                                                                                                                                            • Instruction Fuzzy Hash: 74224F7758830C4F9329EEE5E9851CAB392F384650F49913C8B4687B05FEFCB51A96C4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1855934063.0000000000559000.00000004.00000020.00020000.00000000.sdmp, Offset: 00558000, based on PE: false
                                                                                                                                                                            • Associated: 00000002.00000003.1835644176.0000000000558000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3064b9a09c035c55807abd5aadf5055be7f8d23955752dfe3bdcc17209cf7c23
                                                                                                                                                                            • Instruction ID: cf5af5c9658913062ab014a0cb1a4bbfb507114ee258b908e3003b9765d19c00
                                                                                                                                                                            • Opcode Fuzzy Hash: 3064b9a09c035c55807abd5aadf5055be7f8d23955752dfe3bdcc17209cf7c23
                                                                                                                                                                            • Instruction Fuzzy Hash: 1741E61244EBC41FC70383740CB99A23FBA9E1310635F40EBD4C4CF4A3D14A2A5AEB26
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1855934063.0000000000559000.00000004.00000020.00020000.00000000.sdmp, Offset: 00559000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction ID: cf5af5c9658913062ab014a0cb1a4bbfb507114ee258b908e3003b9765d19c00
                                                                                                                                                                            • Opcode Fuzzy Hash: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction Fuzzy Hash: 1741E61244EBC41FC70383740CB99A23FBA9E1310635F40EBD4C4CF4A3D14A2A5AEB26
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1855934063.0000000000559000.00000004.00000020.00020000.00000000.sdmp, Offset: 0055F000, based on PE: false
                                                                                                                                                                            • Associated: 00000002.00000003.1835969909.000000000055F000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction ID: cf5af5c9658913062ab014a0cb1a4bbfb507114ee258b908e3003b9765d19c00
                                                                                                                                                                            • Opcode Fuzzy Hash: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction Fuzzy Hash: 1741E61244EBC41FC70383740CB99A23FBA9E1310635F40EBD4C4CF4A3D14A2A5AEB26
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000002.00000003.1855934063.0000000000559000.00000004.00000020.00020000.00000000.sdmp, Offset: 0055B000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_2_3_558000_overseer.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction ID: cf5af5c9658913062ab014a0cb1a4bbfb507114ee258b908e3003b9765d19c00
                                                                                                                                                                            • Opcode Fuzzy Hash: 55fc8d77c4bc0e8789d6639cc61042821f86b19e8f9d86296beb8b96a30e3f32
                                                                                                                                                                            • Instruction Fuzzy Hash: 1741E61244EBC41FC70383740CB99A23FBA9E1310635F40EBD4C4CF4A3D14A2A5AEB26