Analysis Report rSYbV3jx0K.exe

Overview

General Information

Sample Name: rSYbV3jx0K.exe
Analysis ID: 400708
MD5: e4d8a5580372bcff92a7be2f385eb7f7
SHA1: 31b731099104f5dfda61b79dcea723d3cd5e1d84
SHA256: 19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

AsyncRAT SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AsyncRAT
Yara detected SmokeLoader
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\fstdhrc Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\84F0.exe Avira: detection malicious, Label: TR/Crypt.ULPM.Gen
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\tbjvcq.exe Avira: detection malicious, Label: TR/Crypt.ULPM.Gen
Found malware configuration
Source: 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "null", "Ports": "null", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "8qTK5zOGKTFDhfISYupTRvALhuVbWSgX", "Mutex": "Aakn1515knAakn1515kn!", "AntiDetection": "false", "External_config_on_Pastebin": "https://pastebin.com/raw/uqaaCRiU", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQANivkbQ3M6BZ5nADQpm3STANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMjAzMTgzNTExWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALOBIc2DnI8TSC1sywVtYwyKE04RbiuxJGevqOS5fIKxPMKdzEAEj1IYTcRCMxix+MWEvthkn3/RrPN2aRD3f82kFILJ5pExE5v8li8g1RYc+56vGmkfFVLvtjzWOdLIhqEikOTpHNvnl5t+1DAFEpxWy9pQL2V+4KosyXDyWpaQwCj0KOA7c9mRFIfKsIYxOhPLW1DxdhgMeBEeGTKAdRIfYaTlyCzCsF8w5bew5J8nWDw8OrxbLKrLtQ4+Wr5Rb154QUSayY4MOuNSybJavMXgjgg4gIonRa2yiazGfBPmfrnxzYztSZiZ3OgYqDoralZnZYCcF0eGBC/ny8qEdQHGsOhGKE6i1+prQIHD04hY0tY9k8Q4MBj49C6GE7DY2+sxV24vV/MWQcd6b+so1+W6/UblFrK4sPITA8d4qM6fhh5ARt5BBfzssWVO1awXBk6Vdw8toSWpaZwOkETGyX+29y6lmbLq8vSuuLCPS/0QSfPKuvtEEP2LSma2bQhaPpeAAv2c/h3IDb5WJ2Bdor01wmdlSHCBSHczk+efU9DW96uGN5srnaYOycLKqxe7x6eQ2Bt4bESJLnmz12FIj+aIoRIGhPpNpls8neUCKZKnasXh+EH0jyX802tI/jtLe7FXW9BtQ/dfwO1MOS8k7axRKVNGS4yBXR6Y0yhM3DmBAgMBAAGjMjAwMB0GA1UdDgQWBBRQEpzFa66LhPbmNxVouD0sBdOCKTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBsmvJg2a5AoiIYqpWQUyZJ95BM91B7kEjNJfepN/fi13vQi3JB19SCKXkcVDbPQMjlirqDnkXRVq7Q+MqAgvfkLq10Ffs9o6Lle58PVcrXY9jlhdNzY/xSgUSKYcodXfWZ5nsUoV6dCqqidsFOeVf5AsgpOfyf3fdtJfADadabTQtWv98iaW60g+947ZQF6yC3cAydx9IhPGPlADrwdh3GeItdwNOp1uYdcNqjHA9gASiQooiJ8BD4Gkd8RPWTs288ACwCr4/OcerCT4U9RiNb5/Sg0IP29sk0N4qWsojidDkv4C8fDbj1+LTlZJYugeuqSKZWJiZT9hVRb7AMVDZyRzKPhAxoWo1uzME7qd7YIwm25yyhMWiEdC8qo3OVJ7dnB4hAx4n8QupchcI19AkfvlkzahOo6e9hRXqlIHvupPq3LJD/WJnJJeaSCltpXFMNnSBhZdhy/z9MGoEAnuqaaAYCL2NYZ9dltedfylhr0hq0yPyT2kiujkNjXQ0r3yrr4hFYYYFx1Rcp0hy7FC1os0+p72ECMc9hCcxdLSxVoyHFALW7capmU3H5h/BAEjLVx35ReiyJLTvRYaDSxMAjgQMCUzbKwyzuY8XbiXNqIge/rp2UdnfxoOQq8jL8yszG+vgfTBUDdLsaso6URWa9JOmuBtqbwTJJsGeKlL0RiA==", "ServerSignature": "OEmglsgP1XsyNB12ER5lWnZxujJkxTTt/iXyXCwz0sN0KoJbYo5A1AANWSBR0cOnLSiC0kxZyMJxV2e7NEFA5b22NhkVG7Cwu+BJVDj8PZe1gUsgIitPT6ZQ+drsh5AOn862MrxfLKCyrvIu9dZ94UnPkPVXp1R9dvbWTUFKy2cd6t/UjLW3Kw51t8Sd9zY05gtZaRj3rLJC3468b6kPExa3xhJ3j/PgabAhZdlMv4+OxzY8u1huxQzVHwjsy30cLCqhdHvn5Zxijd50TPF357YxprmYw2UXXQA7QzOv4KmE/NZ7Gci2NdE3ls/YPq0yeozqOW1Mp/aMevHUEWx+heniUqRd2dYmM6+GKDJkhN9MTzGflYhecS+ts6tSpeYFQcXw7F8x6xyk4DJeS2kwq1Z1kJKto99O4STFR6cEJnTqr468wmsmykAr/Hau5OA1Bc3H/R+h/w0qHeI3Speqw598hQbt2c4ey+s6WN68qUjbmPuXpNAlPoAsK41LQOhypVn3e7jJ9pOIZW+wZuibmonCSjx6u2vvxyAw1ARwB1Gv4EN/uyFP+DtYmt5Ytz2yd0TCmSTMSeBxa8nW/loolzV6fXqM8sLJNwEev16+ofqbQMGV49V+i3neS50CT9ikgUBIGi0cOvXuZy8ZthKbHPFrRUX5hXVn6bTO+RYlRhs=", "Group": "-=-=-=-=-=SPOOFER-=-=-=-=-="}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\84F0.exe Metadefender: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\Temp\84F0.exe ReversingLabs: Detection: 96%
Source: C:\Users\user\AppData\Local\Temp\8AAE.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\8D20.exe Metadefender: Detection: 15% Perma Link
Source: C:\Users\user\AppData\Local\Temp\8D20.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\8F34.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\910A.exe Metadefender: Detection: 15% Perma Link
Source: C:\Users\user\AppData\Local\Temp\910A.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\9CA4.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Metadefender: Detection: 54% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe ReversingLabs: Detection: 93%
Multi AV Scanner detection for submitted file
Source: rSYbV3jx0K.exe Virustotal: Detection: 64% Perma Link
Source: rSYbV3jx0K.exe ReversingLabs: Detection: 82%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\8F34.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\910A.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9CA4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\okjnek.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\fstdhrc Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Onedrives.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8D20.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\84F0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tbjvcq.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\qicqii.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rSYbV3jx0K.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: rSYbV3jx0K.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49714 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49731 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49735 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.14.15:443 -> 192.168.2.3:49737 version: TLS 1.0
Source: rSYbV3jx0K.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.263722872.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000008.00000000.262482831.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000000.265543670.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.275669920.000000000040C000.00000002.00020000.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp, AdvancedRun.exe, 00000022.00000002.416632787.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000002.442189234.000000000040C000.00000002.00020000.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001B.00000000.367792261.000000000E2C0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Btwgyizzspfr.exe, 00000016.00000002.443820156.000000006A851000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: Btwgyizzspfr.exe
Source: Binary string: C:\projects\costura\Costura\obj\Release\net40\Costura.pdb source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp
Source: Binary string: C:\projects\costura\Costura\obj\Release\net40\Costura.pdbSHA256 source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 0000001B.00000000.367792261.000000000E2C0000.00000002.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 193.142.146.202:8808 -> 192.168.2.3:49732
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: null
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49732 -> 193.142.146.202:8808
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49714 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49731 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49734 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49735 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.133.191:443 -> 192.168.2.3:49736 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.14.15:443 -> 192.168.2.3:49737 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: unknown TCP traffic detected without corresponding DNS query: 193.142.146.202
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-facebook elementor-repeater-item-ebfb8d4" href="https://www.facebook.com/yoursitecom/" target="_blank"> equals www.facebook.com (Facebook)
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-linkedin elementor-repeater-item-50beb24" href="https://www.linkedin.com/company/yoursite-com/about" target="_blank"> equals www.linkedin.com (Linkedin)
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: <a class="elementor-icon elementor-social-icon elementor-social-icon-youtube elementor-repeater-item-10c2bcd" href="https://www.youtube.com/channel/UCLZK6XZN3jgMsePkqtOUMQQ" target="_blank"> equals www.youtube.com (Youtube)
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: re logging in for the first time, you can choose your theme then start modifying straight-away.</p><p>Follow these simple steps to access and edit your website in our <a href="https://www.youtube.com/watch?v=9GFA9geUM64&amp;t=10s" target="_blank" rel="nofollow noopener">getting started tutorial.</a></p></div> equals www.youtube.com (Youtube)
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: re logging in for the first time, you can choose your theme then start modifying straight-away.</p><p>Follow these simple steps to access and edit your website in our <a href=\"https://www.youtube.com/watch?v=9GFA9geUM64&amp;t=10s\" target=\"_blank\" rel=\"nofollow noopener\">getting started tutorial.</a></p>" equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.yoursite.com
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: explorer.exe, 0000001B.00000000.372706029.000000000F7BA000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, rSYbV3jx0K.exe, 00000011.00000003.369471570.00000000056D3000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rSYbV3jx0K.exe, 00000011.00000003.311381129.00000000015C7000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6b1ad54bc8481
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, rSYbV3jx0K.exe, 00000011.00000003.369471570.00000000056D3000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: rSYbV3jx0K.exe, 00000000.00000002.291629390.00000000028BF000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.481471548.000000000305F000.00000004.00000001.sdmp String found in binary or memory: http://ogp.me/ns#
Source: rSYbV3jx0K.exe, 00000000.00000002.291545539.0000000002891000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.478220942.0000000003031000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: AdvancedRun.exe, AdvancedRun.exe, 00000009.00000000.265543670.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.275669920.000000000040C000.00000002.00020000.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp, AdvancedRun.exe, 00000022.00000002.416632787.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000002.442189234.000000000040C000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: http://www.schema.org
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001B.00000000.355313885.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://api.w.org/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://cdn.onesignal.com/sdks/OneSignalSDK.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.14.0/js/all.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css2?family=Montserrat:wght
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Fody/Costura/graphs/contributors
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Fody/Costura/graphs/contributors8
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/maps/Roub3qWpQhCHEKFf7
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/announcements
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;domain=transfer&#038;currency=3
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=224&#038;currency=3&#038;billingcycle=annually
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=26&#038;currency=3&#038;billingcycle=annually&#038;p
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=28&#038;currency=3&#038;billingcycle=annually
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=29&#038;currency=3&#038;billingcycle=annually
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=329&#038;currency=3&#038;billingcycle=annually
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=add&#038;pid=424&#038;currency=3&#038;billingcycle=annually
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/cart.php?a=view&#038;currency=3
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/clientarea.php
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/knowledgebase.php
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/knowledgebase/107/How-Do-I-Update-My-Domains-Name-Servers.html
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/privacy-policy.php
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/submitticket.php
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/submitticket.php?step=2&#038;deptid=11
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/submitticket.php?step=2&amp;deptid=11
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/submitticket.php?step=2&deptid=11
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://my.yoursite.com/terms.php
Source: rSYbV3jx0K.exe, 00000011.00000003.316647865.0000000006556000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/uqaaCRiU
Source: rSYbV3jx0K.exe, 00000000.00000002.291695087.00000000028D6000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.291704278.00000000028DA000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.481471548.000000000305F000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.483147308.0000000003076000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://s.rankmath.com/home
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://schema.org
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://schema.org/
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0C
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/YourSite_com
Source: rSYbV3jx0K.exe, 00000000.00000002.291240008.0000000000D0B000.00000004.00000020.sdmp, rSYbV3jx0K.exe, 00000011.00000003.369471570.00000000056D3000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000003.439733541.000000000147F000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-TZC5GBP
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://www.linkedin.com/company/yoursite-com/about
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: rSYbV3jx0K.exe, 00000000.00000002.291545539.0000000002891000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.478220942.0000000003031000.00000004.00000001.sdmp String found in binary or memory: https://www.yoursite.com
Source: rSYbV3jx0K.exe, 00000000.00000002.291545539.0000000002891000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.478220942.0000000003031000.00000004.00000001.sdmp String found in binary or memory: https://www.yoursite.com/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/channel/UCLZK6XZN3jgMsePkqtOUMQQ
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/watch?v=9GFA9geUM64&amp;t=10s
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com
Source: Onedrives.exe, 0000001A.00000002.481471548.000000000305F000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.483147308.0000000003076000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/#organization
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/#primaryImage
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/#schema-16664
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/#webpage
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/#website
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/?s=
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/about-us/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/backup/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/blog/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/comments/feed/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/domains/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/e-commerce/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/email-marketing/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/faq/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/feed/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/hosted-exchange/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/how-does-it-work/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/seo-tools/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/ssl-certificates/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/templates/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/usage-policy/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/vpn/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/web-hosting/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/website-importer/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/website-monitoring/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.2.1
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.1.4
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.1.4
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/js/frontend.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/js/preloaded-elements-handlers.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3.1.4
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.min.css?ver=5.1
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ve
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/regular.min.css?ver=5.
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=5.15
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/libs/framework/assets/js/frontend-script.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/modules/controls/assets/css/ekiticons.css?v
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/modules/controls/assets/css/widgetarea-edit
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/modules/controls/assets/js/widgetarea-edito
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/responsive.css?ver=
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/widgets/init/assets/css/widget-styles.css?v
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/elementor.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/slick.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/elementskit-lite/widgets/init/assets/js/widget-scripts.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/flatsite-serverless-search/dist/css/app.css?ver=5.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/plugins/flatsite-serverless-search/dist/js/app.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/search-index.json
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/animate.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/blog-style.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/bootstrap.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/domain-checker/style.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/jquery-ui.structure.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/jquery-ui.theme.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/magnific-popup.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/navigation.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/owl.carousel.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/owl.theme.default.min.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/responsive.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/style.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/css/xs_main.css?ver=1.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/Popper.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/bootstrap.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/elementor.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/hostslide.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/jquery-ui.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/jquery.ajaxchimp.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/jquery.magnific-popup.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/main.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/navigation.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/owl.carousel.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/shuffle-letters.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/tweetie.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/assets/js/wow.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/themes/hostinza/style.css?ver=5.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/Yoursite.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/favicon.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/icons-stack-1.svg
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/icons-stack-2.svg
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/icons-stack-4.svg
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/yoursite-fb-1.jpg
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/yoursite-logo.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/04/yoursite-twitter.jpg
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/artificial-intelligence-home-300x225.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/artificial-intelligence-home.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/dazzling-templates-300x168.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/dazzling-templates.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/header-home-300x197.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/header-home-768x505.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/header-home.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/icons-table-1.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/icons-table-2.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/icons-table-3.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/payment-gateways.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ssl-certificate.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/store-in-minutes.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-gallery-300x215.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-gallery.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-import-tool-300x168.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-import-tool.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-social-300x168.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/05/ys-social.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/06/logo-ys-light-1024x332.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/06/logo-ys-light-300x97.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/06/logo-ys-light-768x249.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/06/logo-ys-light.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/2020/06/logo-ys.png
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/elementor/css/global.css?ver=1618208183
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/elementor/css/post-2656.css?ver=1618844650
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/elementor/css/post-325.css?ver=1618924659
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/elementor/css/post-3271.css?ver=1618208183
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-content/uploads/elementor/thumbs/cpanel-2021-p2pa1mv4svclgquq99lu2yiw8yxaaen
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/css/dist/block-library/style.min.css?ver=5.4.2
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/js/jquery/jquery-migrate.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/js/jquery/jquery.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.482615869.0000000003072000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/js/jquery/ui/position.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/js/wp-embed.min.js
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-includes/wlwmanifest.xml
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-json/
Source: rSYbV3jx0K.exe, 00000000.00000002.292032728.0000000003899000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-json/elementskit/v1/
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-json/oembed/1.0/embed
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/wp-json/oembed/1.0/embed&#038;format=xml
Source: rSYbV3jx0K.exe, 00000000.00000002.292058740.00000000038B9000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com/xmlrpc.php
Source: rSYbV3jx0K.exe, 00000000.00000002.291704278.00000000028DA000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.483147308.0000000003076000.00000004.00000001.sdmp String found in binary or memory: https://yoursite.com4
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330710365.00000000065C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.497377287.0000000003135000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291845691.00000000029B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.490436569.0000000003083000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330330021.0000000001593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291750810.0000000002944000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.495365261.00000000030D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rSYbV3jx0K.exe PID: 5268, type: MEMORY
Source: Yara match File source: Process Memory Space: Onedrives.exe PID: 6416, type: MEMORY
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.unpack, type: UNPACKEDPE
Yara detected SmokeLoader
Source: Yara match File source: C:\Users\user\AppData\Roaming\fstdhrc, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: dropped/Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: 22.0.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE
Creates a DirectInput object (often for capturing keystrokes)
Source: rSYbV3jx0K.exe, 00000000.00000002.291066991.0000000000C50000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file has a writeable .text section
Source: Btwgyizzspfr.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00401799 Sleep,NtTerminateProcess, 22_2_00401799
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00401766 Sleep,NtTerminateProcess, 22_2_00401766
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004017C3 Sleep,NtTerminateProcess, 22_2_004017C3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004017C9 Sleep,NtTerminateProcess, 22_2_004017C9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004017A4 Sleep,NtTerminateProcess, 22_2_004017A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004017AF Sleep,NtTerminateProcess, 22_2_004017AF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004017B5 Sleep,NtTerminateProcess, 22_2_004017B5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B98C0 ZwDuplicateObject,LdrInitializeThunk, 22_2_6A8B98C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9820 ZwEnumerateKey,LdrInitializeThunk, 22_2_6A8B9820
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9860 ZwQuerySystemInformation,LdrInitializeThunk, 22_2_6A8B9860
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B99A0 ZwCreateSection,LdrInitializeThunk, 22_2_6A8B99A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9600 ZwOpenKey,LdrInitializeThunk, 22_2_6A8B9600
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9660 ZwAllocateVirtualMemory,LdrInitializeThunk, 22_2_6A8B9660
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B967A NtQueryInformationProcess,LdrInitializeThunk, 22_2_6A8B967A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9780 ZwMapViewOfSection,LdrInitializeThunk, 22_2_6A8B9780
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A892280 RtlAcquireSRWLockExclusive,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive,ZwTerminateProcess, 22_2_6A892280
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB280 ZwWow64DebuggerCall, 22_2_6A8BB280
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87429E RtlInitUnicodeString,ZwClose,LdrQueryImageFileKeyOption, 22_2_6A87429E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAA90 ZwQuerySystemInformationEx, 22_2_6A8BAA90
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AD294 ZwQueryAttributesFile,RtlFreeHeap,ZwClose,RtlFreeHeap, 22_2_6A8AD294
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwFsControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,ZwClose,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection, 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A871AA0 RtlAllocateHandle,RtlReAllocateHeap,ZwAllocateVirtualMemory,ZwAllocateVirtualMemory,RtlAllocateHeap, 22_2_6A871AA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A5AA0 TpSetPoolMaxThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMaxThreads, 22_2_6A8A5AA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AE2BB ZwWaitForAlertByThreadId, 22_2_6A8AE2BB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9AB0 ZwWaitForMultipleObjects, 22_2_6A8B9AB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901AD6 ZwFreeVirtualMemory, 22_2_6A901AD6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948ADD RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948ADD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAAC0 ZwQueryWnfStateNameInformation, 22_2_6A8BAAC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89FAD0 RtlAcquireSRWLockShared,RtlDllShutdownInProgress,ZwWaitForAlertByThreadId,RtlAcquireSRWLockShared,ZwTerminateProcess, 22_2_6A89FAD0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9AE0 ZwTraceEvent, 22_2_6A8B9AE0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAAE0 ZwRaiseException, 22_2_6A8BAAE0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948214 RtlAcquireSRWLockExclusive,ZwSetInformationWorkerFactory,RtlReleaseSRWLockExclusive, 22_2_6A948214
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9A00 ZwProtectVirtualMemory, 22_2_6A8B9A00
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875210 RtlGetCurrentDirectory_U,memcpy,RtlGetCurrentDirectory_U,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6A875210
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 ZwAllocateVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwQueryVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlFillMemoryUlong,DbgPrint,DbgPrint,DbgPrint, 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874A20 RtlGetCurrentServiceSessionId,RtlFreeHeap,ZwClose,RtlReleaseActivationContext,LdrUnloadDll, 22_2_6A874A20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AB230 EtwEventWrite,ZwTraceEvent,RtlNtStatusToDosError,EtwEventWrite, 22_2_6A8AB230
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A878239 RtlInitUnicodeStringEx,ZwQueryValueKey,RtlInitUnicodeStringEx,RtlPrefixUnicodeString,ZwEnumerateKey,ZwOpenKey,RtlInitUnicodeStringEx,ZwQueryValueKey,RtlFreeHeap,ZwClose,RtlAllocateHeap,RtlCompareUnicodeString,ZwClose,RtlFreeHeap,ZwClose, 22_2_6A878239
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879240 ZwClose,ZwClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlAcquireSRWLockExclusive,RtlFreeHeap, 22_2_6A879240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901242 ZwUnmapViewOfSection,ZwClose,ZwClose,ZwClose,ZwClose,ZwClose, 22_2_6A901242
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948A62 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948A62
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872B93 TpSetDefaultPoolMaxThreads,ZwDuplicateToken, 22_2_6A872B93
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A939F RtlInitializeCriticalSectionEx,ZwDelayExecution, 22_2_6A8A939F
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93138A memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A93138A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948BB6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948BB6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4BAD RtlAcquireSRWLockExclusive,memset,ZwTraceControl,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 22_2_6A8A4BAD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A949BBE RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A949BBE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA3A0 ZwGetCompleteWnfStateSubscription, 22_2_6A8BA3A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931BA8 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A931BA8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872BC2 ZwOpenThreadToken,ZwSetInformationThread,ZwClose, 22_2_6A872BC2
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88A3E0 RtlFormatCurrentUserKeyPath,ZwQueryInformationToken,RtlLengthSidAsUnicodeString,RtlAppendUnicodeToString,RtlConvertSidToUnicodeString,RtlFreeUnicodeString, 22_2_6A88A3E0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8723F6 ZwClose,RtlFreeHeap, 22_2_6A8723F6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9BF0 ZwAlertThreadByThreadId, 22_2_6A8B9BF0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874B00 TpCallbackMayRunLong,TpCallbackMayRunLong,ZwSetInformationWorkerFactory, 22_2_6A874B00
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93131B RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A93131B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9B00 ZwSetValueKey, 22_2_6A8B9B00
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A5306 ZwReleaseKeyedEvent, 22_2_6A8A5306
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879335 ZwClose,ZwClose, 22_2_6A879335
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B48 ZwClose,ZwClose, 22_2_6A8A3B48
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948B58 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948B58
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A908372 ZwClose,RtlStringFromGUIDEx,ZwCreateKey,RtlFreeUnicodeString, 22_2_6A908372
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAB60 ZwReleaseKeyedEvent, 22_2_6A8BAB60
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B7A RtlAllocateHeap,ZwQuerySystemInformationEx,memset,RtlFreeHeap, 22_2_6A8A3B7A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872B7E ZwSetInformationThread,ZwClose, 22_2_6A872B7E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A926369 RtlInitUnicodeString,ZwOpenFile,ZwCreateSection,ZwMapViewOfSection,ZwClose,ZwClose, 22_2_6A926369
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAB70 ZwReleaseWorkerFactoryWorker, 22_2_6A8BAB70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B108B ZwClose, 22_2_6A8B108B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873880 TpSetWaitEx,RtlAllocateHeap,ZwGetCompleteWnfStateSubscription,RtlFreeHeap,TpSetWaitEx, 22_2_6A873880
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AA080 RtlDeleteCriticalSection,RtlAcquireSRWLockExclusive,RtlDeleteCriticalSection,RtlDeleteCriticalSection,ZwClose,RtlDeleteCriticalSection, 22_2_6A8AA080
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA890 ZwQueryDebugFilterState, 22_2_6A8BA890
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9890 ZwFsControlFile, 22_2_6A8B9890
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89F0AE ZwSetInformationWorkerFactory, 22_2_6A89F0AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9260A2 ZwQueryInformationFile, 22_2_6A9260A2
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A18B9 ZwCreateTimer2,ZwCreateWaitCompletionPacket,ZwAssociateWaitCompletionPacket,ZwClose, 22_2_6A8A18B9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AF0BF ZwOpenFile,RtlFreeHeap,ZwQueryVolumeInformationFile,RtlAllocateHeap,memcpy,ZwClose,ZwClose,RtlFreeHeap, 22_2_6A8AF0BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB0B0 ZwTraceControl, 22_2_6A8BB0B0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8770C0 ZwClose,RtlFreeHeap,RtlFreeHeap, 22_2_6A8770C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B00C2 ZwAlertThreadByThreadId, 22_2_6A8B00C2
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA0D0 ZwCreateTimer2, 22_2_6A8BA0D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B98D0 ZwQueryAttributesFile, 22_2_6A8B98D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B10D7 ZwOpenKey,ZwCreateKey, 22_2_6A8B10D7
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B8F0 TpSetPoolStackInformation,ZwSetInformationWorkerFactory, 22_2_6A87B8F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8740FD RtlImageNtHeaderEx,DbgPrintEx,memset,RtlDebugPrintTimes,DbgPrintEx,wcsstr,DbgPrintEx,DbgPrintEx,wcschr,DbgPrintEx,ZwSetInformationProcess, 22_2_6A8740FD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9260E9 ZwOpenKey,ZwClose,ZwClose, 22_2_6A9260E9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94F019 RtlInitUnicodeString,RtlInitUnicodeString,ZwQueryValueKey,RtlAllocateHeap,ZwQueryValueKey,RtlInitUnicodeString,ZwClose,RtlFreeHeap, 22_2_6A94F019
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F018 RtlAllocateHeap,ZwQueryValueKey,memcpy,RtlFreeHeap, 22_2_6A87F018
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4020 RtlGetVersion,RtlGetSuiteMask,RtlGetNtProductType,RtlInitUnicodeString,ZwQueryLicenseValue,RtlGetSuiteMask,RtlGetVersion, 22_2_6A8A4020
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9830 ZwOpenFile, 22_2_6A8B9830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9840 ZwDelayExecution, 22_2_6A8B9840
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948858 ZwAlertThreadByThreadId, 22_2_6A948858
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875050 RtlSetCurrentDirectory_U,RtlAllocateHeap,RtlFreeHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlSetCurrentDirectory_U,RtlFreeHeap,RtlFreeHeap, 22_2_6A875050
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88106F ZwOpenKey,ZwClose, 22_2_6A88106F
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901879 ZwAllocateVirtualMemory,memset,RtlInitializeSid, 22_2_6A901879
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89C182 RtlGetCurrentServiceSessionId,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwWaitForAlertByThreadId,RtlAcquireSRWLockExclusive, 22_2_6A89C182
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9980 ZwCreateEvent, 22_2_6A8B9980
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB180 ZwWaitForAlertByThreadId, 22_2_6A8BB180
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A926186 ZwQueryValueKey,memmove,RtlInitUnicodeString, 22_2_6A926186
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87519E RtlEqualUnicodeString,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6A87519E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93A189 RtlAcquireSRWLockExclusive,ZwGetNlsSectionPtr,RtlAllocateHeap,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive, 22_2_6A93A189
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9990 ZwQueryVolumeInformationFile, 22_2_6A8B9990
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB1A0 ZwWaitForKeyedEvent, 22_2_6A8BB1A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9349A4 ZwAllocateVirtualMemory,RtlCompareMemory,memcpy,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 22_2_6A9349A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA9B0 ZwQueryLicenseValue, 22_2_6A8BA9B0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9019C8 ZwCreateSection,ZwMapViewOfSection,memset,ZwUnmapViewOfSection,ZwClose, 22_2_6A9019C8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9489E7 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A9489E7
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879100 TpReleasePool,RtlAcquireSRWLockExclusive,ZwShutdownWorkerFactory,RtlGetCurrentServiceSessionId,TpReleasePool,TpReleasePool,RtlDebugPrintTimes,TpReleasePool, 22_2_6A879100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A880100 LdrUnloadAlternateResourceModuleEx,RtlAcquireSRWLockExclusive,ZwUnmapViewOfSection,ZwClose,LdrUnloadAlternateResourceModuleEx,RtlFreeHeap,RtlFreeHeap,RtlReAllocateHeap, 22_2_6A880100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9900 ZwOpenEvent, 22_2_6A8B9900
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 RtlAllocateHeap,memmove,memmove,RtlPrefixUnicodeString,RtlAllocateHeap,RtlLeaveCriticalSection,ZwClose,RtlFreeHeap,RtlFreeHeap, 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A90193B ZwRaiseException,ZwTerminateProcess, 22_2_6A90193B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9920 ZwDuplicateToken, 22_2_6A8B9920
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94F13B ZwOpenKey,ZwCreateKey, 22_2_6A94F13B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA130 ZwCreateWaitCompletionPacket, 22_2_6A8BA130
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B944 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,RtlGetCurrentServiceSessionId,ZwSetTimer2,RtlGetCurrentServiceSessionId,ZwCancelTimer2, 22_2_6A89B944
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F150 RtlOpenCurrentUser,RtlFormatCurrentUserKeyPath,ZwOpenKey,RtlFreeUnicodeString,RtlOpenCurrentUser,RtlInitUnicodeString,ZwOpenKey, 22_2_6A87F150
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87395E RtlAcquireSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwGetCompleteWnfStateSubscription,RtlFreeHeap, 22_2_6A87395E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB150 ZwUnsubscribeWnfStateChange, 22_2_6A8BB150
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901976 ZwCreateEvent, 22_2_6A901976
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB160 ZwUpdateWnfStateData, 22_2_6A8BB160
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA160 ZwCreateWorkerFactory, 22_2_6A8BA160
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948966 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948966
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B171 ZwQueryDebugFilterState,_alloca_probe_16,memcpy,_vsnprintf,ZwWow64DebuggerCall,RtlRaiseException, 22_2_6A87B171
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873E80 RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,RtlSetThreadSubProcessTag,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A873E80
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92BE9B RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 22_2_6A92BE9B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADE9E RtlAcquireSRWLockExclusive,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwUnsubscribeWnfStateChange,RtlReleaseSRWLockExclusive,RtlFreeHeap,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlFreeHeap, 22_2_6A8ADE9E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872E9F ZwCreateEvent,ZwClose, 22_2_6A872E9F
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A943EBC ZwTraceControl,RtlNtStatusToDosError,RtlSetLastWin32Error, 22_2_6A943EBC
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A902EA3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A902EA3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89E6B0 RtlSetThreadWorkOnBehalfTicket,memcmp,ZwSetInformationThread,RtlSetThreadWorkOnBehalfTicket, 22_2_6A89E6B0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948ED6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948ED6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B96C0 ZwSetInformationProcess, 22_2_6A8B96C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8766D4 RtlInitUnicodeString,ZwQueryValueKey, 22_2_6A8766D4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A9ED0 RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,RtlAcquireSRWLockExclusive,RtlAcquireSRWLockShared,RtlReleaseSRWLockExclusive,RtlReleaseSRWLockShared,ZwWaitForAlertByThreadId, 22_2_6A8A9ED0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B96D0 ZwCreateKey, 22_2_6A8B96D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872ED8 ZwWaitForAlertByThreadId,ZwWaitForAlertByThreadId, 22_2_6A872ED8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9016FA ZwQueryWnfStateNameInformation,ZwUpdateWnfStateData,EtwEventWriteNoRegistration, 22_2_6A9016FA
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B96E0 ZwFreeVirtualMemory, 22_2_6A8B96E0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89E6F9 ZwAlpcSetInformation, 22_2_6A89E6F9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B6F0 EtwEventWriteNoRegistration,ZwTraceEvent,RtlNtStatusToDosError, 22_2_6A87B6F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8CDEF0 RtlRaiseException,RtlCaptureContext,ZwRaiseException,RtlRaiseStatus, 22_2_6A8CDEF0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A902E14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A902E14
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87C600 LdrQueryImageFileKeyOption,RtlInitUnicodeStringEx,ZwQueryValueKey,LdrQueryImageFileKeyOption,RtlFreeHeap,RtlAllocateHeap,ZwQueryValueKey,RtlFreeHeap,RtlUnicodeStringToInteger,memcpy, 22_2_6A87C600
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9E20 ZwCancelTimer2, 22_2_6A8B9E20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FE3F memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A92FE3F
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A943E22 ZwTraceControl,RtlNtStatusToDosError,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error, 22_2_6A943E22
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B630 ZwWaitForKeyedEvent, 22_2_6A87B630
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9E30 ZwCancelWaitCompletionPacket, 22_2_6A8B9E30
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB640 RtlUnhandledExceptionFilter,ZwTerminateProcess, 22_2_6A8BB640
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BB650 RtlUnhandledExceptionFilter,ZwTerminateProcess, 22_2_6A8BB650
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9650 ZwQueryValueKey, 22_2_6A8B9650
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ABE62 ZwProtectVirtualMemory,RtlGetCurrentTransaction,RtlGetCurrentTransaction, 22_2_6A8ABE62
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAE70 ZwSetInformationWorkerFactory, 22_2_6A8BAE70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9670 ZwQueryInformationProcess, 22_2_6A8B9670
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A925F87 ZwUnmapViewOfSection, 22_2_6A925F87
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B97A0 ZwUnmapViewOfSection, 22_2_6A8B97A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B3FA0 RtlGetLocaleFileMappingAddress,ZwInitializeNlsFiles,RtlGetLocaleFileMappingAddress,ZwUnmapViewOfSection, 22_2_6A8B3FA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 RtlDestroyHeap,RtlDeleteCriticalSection,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlDestroyHeap,DbgPrint,DbgPrint,DbgPrint,RtlDebugPrintTimes,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F7C0 EtwNotificationUnregister,RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwClose,RtlReleaseSRWLockExclusive,RtlSetLastWin32Error,EtwNotificationUnregister, 22_2_6A87F7C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B97C0 ZwTerminateProcess, 22_2_6A8B97C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADFDF RtlWakeAddressAllNoFence,ZwAlertThreadByThreadId,RtlWakeAddressAllNoFence, 22_2_6A8ADFDF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAFD0 ZwShutdownWorkerFactory, 22_2_6A8BAFD0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB RtlImageNtHeader,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,ZwCreateIoCompletion,ZwCreateWorkerFactory,RtlAcquireSRWLockExclusive,RtlGetCurrentServiceSessionId,ZwSetInformationWorkerFactory, 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A880FFD RtlInitUnicodeString,ZwQueryValueKey, 22_2_6A880FFD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A900FEC ZwDuplicateObject,ZwDuplicateObject, 22_2_6A900FEC
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A9702 RtlAcquireSRWLockExclusive,RtlReleaseSRWLockExclusive,ZwReleaseWorkerFactoryWorker, 22_2_6A8A9702
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9710 ZwQueryInformationToken, 22_2_6A8B9710
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92CF30 ZwAlertThreadByThreadId, 22_2_6A92CF30
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AE730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 22_2_6A8AE730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9730 ZwQueryVirtualMemory, 22_2_6A8B9730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A174B ZwFreeVirtualMemory,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory, 22_2_6A8A174B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B0F48 ZwOpenKey,ZwClose,ZwClose,ZwCreateKey,RtlInitUnicodeStringEx,ZwSetValueKey,RtlInitUnicodeStringEx,ZwSetValueKey,ZwClose, 22_2_6A8B0F48
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9740 ZwOpenThreadToken, 22_2_6A8B9740
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9750 ZwQueryInformationThread, 22_2_6A8B9750
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92CF70 RtlpGetUserOrMachineUILanguage4NLS,RtlInitUnicodeString,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,RtlInitUnicodeString,ZwOpenKey,RtlInitUnicodeString,ZwClose,ZwClose, 22_2_6A92CF70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BAF60 ZwSetTimer2, 22_2_6A8BAF60
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9F70 ZwCreateIoCompletion, 22_2_6A8B9F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9770 ZwSetInformationFile, 22_2_6A8B9770
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A90176C ZwOpenEvent,ZwWaitForSingleObject,ZwClose, 22_2_6A90176C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948F6A RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948F6A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 ZwAllocateVirtualMemory,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint,DbgPrint, 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA480 ZwInitializeNlsFiles, 22_2_6A8BA480
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F3C93 wcschr,RtlInitUnicodeString,wcstoul,RtlAnsiStringToUnicodeString,RtlCompareUnicodeString,ZwProtectVirtualMemory,DbgPrintEx,RtlFreeUnicodeString, 22_2_6A8F3C93
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A949CB3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A949CB3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A944CAB ZwTraceControl, 22_2_6A944CAB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948CD6 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948CD6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872CDB RtlFreeHeap,ZwClose,ZwSetEvent, 22_2_6A872CDB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F4E3 RtlEnterCriticalSection,RtlLeaveCriticalSection,ZwSetEvent, 22_2_6A87F4E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9314FB memset,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A9314FB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9264FB ZwOpenKey,ZwQueryValueKey,RtlEqualUnicodeString,RtlEqualUnicodeString,RtlEqualUnicodeString,ZwClose, 22_2_6A9264FB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901CE4 ZwQueryInformationProcess, 22_2_6A901CE4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948C14 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948C14
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931411 ZwTraceEvent, 22_2_6A931411
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B0413 ZwUnmapViewOfSection, 22_2_6A8B0413
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8BA420 ZwGetNlsSectionPtr, 22_2_6A8BA420
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89FC39 ZwAssociateWaitCompletionPacket, 22_2_6A89FC39
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9C40 ZwAllocateVirtualMemoryEx, 22_2_6A8B9C40
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875450 RtlClearThreadWorkOnBehalfTicket,memcmp,RtlClearThreadWorkOnBehalfTicket,ZwSetInformationThread, 22_2_6A875450
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901C49 ZwQueryInformationProcess, 22_2_6A901C49
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948C75 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948C75
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89746D RtlLeaveCriticalSection,ZwClose,RtlFreeHeap, 22_2_6A89746D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901C76 ZwQueryInformationProcess, 22_2_6A901C76
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B ZwFreeVirtualMemory,RtlFillMemoryUlong,RtlFlushSecureMemoryCache,ZwFreeVirtualMemory,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,DbgPrint,DbgPrint,DbgPrint, 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A923C60 RtlFlushSecureMemoryCache,ZwQueryVirtualMemory, 22_2_6A923C60
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B5C70 TpSetPoolMaxThreadsSoftLimit,ZwSetInformationWorkerFactory, 22_2_6A8B5C70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9C70 ZwAlpcConnectPort, 22_2_6A8B9C70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88DD80 RtlAcquireSRWLockShared,ZwQueryVirtualMemory,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlImageNtHeaderEx,RtlRaiseStatus,RtlAddressInSectionTable,RtlImageDirectoryEntryToData, 22_2_6A88DD80
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931582 ZwTraceEvent, 22_2_6A931582
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93B581 RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A93B581
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873591 ZwSetInformationFile, 22_2_6A873591
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8765A0 RtlpGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwQueryLicenseValue,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetDeviceFamilyInfoEnum,RtlInitUnicodeString,ZwOpenKey,ZwClose,RtlGetVersion, 22_2_6A8765A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9DA0 ZwAlpcSendWaitReceivePort, 22_2_6A8B9DA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B95B0 ZwSetInformationThread, 22_2_6A8B95B0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9DB0 ZwAlpcSetInformation, 22_2_6A8B9DB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FDD3 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A92FDD3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874DC0 RtlpUnWaitCriticalSection,RtlWakeAddressAllNoFence,RtlRaiseStatus,TpWaitForAlpcCompletion,RtlpUnWaitCriticalSection,ZwSetEvent,TpWaitForAlpcCompletion,ZwAlpcQueryInformation, 22_2_6A874DC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B95C0 ZwSetEvent, 22_2_6A8B95C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89EDC4 ZwCancelWaitCompletionPacket, 22_2_6A89EDC4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8745D0 RtlGetThreadWorkOnBehalfTicket,RtlGetThreadWorkOnBehalfTicket,ZwQueryInformationThread, 22_2_6A8745D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B95D0 ZwClose, 22_2_6A8B95D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92BDFA RtlAcquireSRWLockExclusive,ZwAllocateVirtualMemory,RtlReleaseSRWLockExclusive, 22_2_6A92BDFA
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9DE0 ZwAssociateWaitCompletionPacket, 22_2_6A8B9DE0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8795F0 TpSetPoolMinThreads,ZwSetInformationWorkerFactory,RtlGetCurrentServiceSessionId,TpSetPoolMinThreads, 22_2_6A8795F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B95F0 ZwQueryInformationFile, 22_2_6A8B95F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901D0B ZwSetInformationProcess, 22_2_6A901D0B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948D34 RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A948D34
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 RtlInitializeCriticalSectionEx,RtlInitializeCriticalSectionEx,RtlGetCurrentServiceSessionId,ZwTraceEvent, 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9520 ZwWaitForSingleObject, 22_2_6A8B9520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FD22 ZwQueryInformationProcess,RtlUniform, 22_2_6A92FD22
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4D3B memset,RtlRunOnceExecuteOnce,ZwTraceControl,memcmp,RtlNtStatusToDosError,RtlFreeHeap,RtlAllocateHeap,RtlNtStatusToDosError,RtlFreeHeap, 22_2_6A8A4D3B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A941D55 ZwFreeVirtualMemory,RtlWakeAddressAllNoFence, 22_2_6A941D55
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901D43 ZwQueryInformationThread, 22_2_6A901D43
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901570 ZwQuerySystemInformation,RtlInitUnicodeString,memset,ZwAlpcConnectPort,ZwAlpcSendWaitReceivePort,ZwClose, 22_2_6A901570
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A936D61 ZwAllocateVirtualMemoryEx, 22_2_6A936D61
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A901D6A ZwWaitForMultipleObjects, 22_2_6A901D6A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B9D70 ZwAlpcQueryInformation, 22_2_6A8B9D70
Detected potential crypto function
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C3DE20 0_2_00C3DE20
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C36DC0 0_2_00C36DC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9432A9 22_2_6A9432A9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93E2C5 22_2_6A93E2C5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FA2B 22_2_6A92FA2B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A91EB8A 22_2_6A91EB8A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AEBB0 22_2_6A8AEBB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AABD8 22_2_6A8AABD8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8C8BE8 22_2_6A8C8BE8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9223E3 22_2_6A9223E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89AB40 22_2_6A89AB40
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88B090 22_2_6A88B090
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876800 22_2_6A876800
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931002 22_2_6A931002
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A830 22_2_6A89A830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A8840 22_2_6A8A8840
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A942EF7 22_2_6A942EF7
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A896E30 22_2_6A896E30
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9367E2 22_2_6A9367E2
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A35D0 22_2_6A8A35D0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A870D20 22_2_6A870D20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A941D55 22_2_6A941D55
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: String function: 0040B550 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: String function: 6A8CD08C appears 37 times
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: String function: 6A905720 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: String function: 6A87B150 appears 128 times
PE file contains strange resources
Source: rSYbV3jx0K.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Onedrives.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: srndix.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Onedrives.exe.26.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: Btwgyizzspfr.exe.0.dr Static PE information: No import functions for PE file found
Source: D8E6.tmp.22.dr Static PE information: No import functions for PE file found
Source: srndix.exe.17.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: rSYbV3jx0K.exe, 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStub.exe" vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000003.258124956.000000000392F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCtfrwxowjm.dll" vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000003.284369188.000000000632C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSpoofershark.exeF vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.291350989.0000000000E60000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClassLibrary.dll: vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.293313762.0000000004D70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.293786142.0000000004E00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000000.00000002.291066991.0000000000C50000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCostura.dll0 vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLIANNEW1.exej% vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.493552864.00000000043F6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRDREPORT.exej% vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.493552864.00000000043F6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSendFile.dll" vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.493552864.00000000043F6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGRABTO.exej% vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000000.289417510.0000000000E63000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSpoofershark.exeF vs rSYbV3jx0K.exe
Source: rSYbV3jx0K.exe, 00000011.00000003.410928667.0000000008D31000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTestMePleaseXMR.exej% vs rSYbV3jx0K.exe
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll
Uses 32bit PE files
Source: rSYbV3jx0K.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: rSYbV3jx0K.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Btwgyizzspfr.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Onedrives.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Onedrives.exe.26.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Btwgyizzspfr.exe.0.dr Static PE information: Section .text
Source: classification engine Classification label: mal100.troj.evad.winEXE@49/41@10/5
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 6_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification, 9_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle, 6_2_004095FD
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource, 6_2_0040A33B
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00401306
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Roaming\Onedrives.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Mutant created: \Sessions\1\BaseNamedObjects\Aakn1515knAakn1515kn!
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:120:WilError_01
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\zEyverccjl.vbs'
Source: rSYbV3jx0K.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: rSYbV3jx0K.exe Virustotal: Detection: 64%
Source: rSYbV3jx0K.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File read: C:\Users\user\Desktop\rSYbV3jx0K.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rSYbV3jx0K.exe 'C:\Users\user\Desktop\rSYbV3jx0K.exe'
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5308
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5736
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\zEyverccjl.vbs'
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eyverccjl.vbs'
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe 'C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Onedrives.exe 'C:\Users\user\AppData\Roaming\Onedrives.exe'
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\Onedrives.exe 'C:\Users\user\AppData\Roaming\Onedrives.exe'
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe'' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\srndix.exe'' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\zEyverccjl.vbs' Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eyverccjl.vbs' Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5308 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5736 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe 'C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\srndix.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: rSYbV3jx0K.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rSYbV3jx0K.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, AdvancedRun.exe, 00000006.00000002.263722872.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000008.00000000.262482831.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000009.00000000.265543670.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000B.00000000.275669920.000000000040C000.00000002.00020000.sdmp, Onedrives.exe, 0000001A.00000003.451756854.000000000414C000.00000004.00000001.sdmp, AdvancedRun.exe, 00000022.00000002.416632787.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000024.00000002.442189234.000000000040C000.00000002.00020000.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001B.00000000.367792261.000000000E2C0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Btwgyizzspfr.exe, 00000016.00000002.443820156.000000006A851000.00000020.00020000.sdmp
Source: Binary string: wntdll.pdb source: Btwgyizzspfr.exe
Source: Binary string: C:\projects\costura\Costura\obj\Release\net40\Costura.pdb source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp
Source: Binary string: C:\projects\costura\Costura\obj\Release\net40\Costura.pdbSHA256 source: rSYbV3jx0K.exe, 00000011.00000003.477737855.00000000048BB000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 0000001B.00000000.367792261.000000000E2C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: rSYbV3jx0K.exe, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Onedrives.exe.0.dr, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.rSYbV3jx0K.exe.4d0000.0.unpack, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.rSYbV3jx0K.exe.4d0000.0.unpack, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: srndix.exe.17.dr, WindowsFormsApp1.Common/Merchant.cs .Net Code: CompareReader System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.rSYbV3jx0K.exe.e10000.0.unpack, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Onedrives.exe.26.dr, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 26.2.Onedrives.exe.d00000.0.unpack, Spoofershark.Workers/Property.cs .Net Code: PublishIndexer System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Yara detected Costura Assembly Loader
Source: Yara match File source: rSYbV3jx0K.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.291545539.0000000002891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.209217100.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.478220942.0000000003031000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.456635553.0000000000D02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.290351132.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.289369592.0000000000E12000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.324471350.00000000008E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.305793805.0000000000D02000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rSYbV3jx0K.exe PID: 5268, type: MEMORY
Source: Yara match File source: Process Memory Space: Onedrives.exe PID: 6416, type: MEMORY
Source: Yara match File source: dropped/Onedrives.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Onedrives.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Onedrives.exe, type: DROPPED
Source: Yara match File source: 26.2.Onedrives.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.Onedrives.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.rSYbV3jx0K.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.Onedrives.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.rSYbV3jx0K.exe.e10000.0.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: D8E6.tmp.22.dr Static PE information: 0xC8733C73 [Sun Jul 26 13:21:55 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040289F
PE file contains an invalid checksum
Source: Onedrives.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x65a18
Source: Btwgyizzspfr.exe.0.dr Static PE information: real checksum: 0xb047 should be: 0x152e0
Source: tbjvcq.exe.17.dr Static PE information: real checksum: 0x0 should be: 0x17bab9
Source: Onedrives.exe.26.dr Static PE information: real checksum: 0x0 should be: 0x65a18
Source: rSYbV3jx0K.exe Static PE information: real checksum: 0x0 should be: 0x65a18
Source: srndix.exe.17.dr Static PE information: real checksum: 0x0 should be: 0x3ac71c
PE file contains sections with non-standard names
Source: tbjvcq.exe.17.dr Static PE information: section name: UPX2
Source: D8E6.tmp.22.dr Static PE information: section name: RT
Source: D8E6.tmp.22.dr Static PE information: section name: .mrdata
Source: D8E6.tmp.22.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_004D6F22 push ss; ret 0_2_004D6F63
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C325ED push ss; ret 0_2_00C325EE
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C32690 push ds; ret 0_2_00C32692
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C326AB push ds; ret 0_2_00C326AE
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C32644 push ss; ret 0_2_00C32646
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C32673 push ss; ret 0_2_00C32676
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C32678 push 00000016h; ret 0_2_00C3267A
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C3270B push ds; ret 0_2_00C32712
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Code function: 0_2_00C3272D push ss; ret 0_2_00C3272E
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040B550 push eax; ret 6_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040B550 push eax; ret 6_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040B50D push ecx; ret 6_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B550 push eax; ret 9_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B550 push eax; ret 9_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 9_2_0040B50D push ecx; ret 9_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00404E48 push eax; ret 22_2_00404E56
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_0040243B push ebp; ret 22_2_004022E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_0040563F push ecx; iretd 22_2_00405646
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_004022D6 push ebp; ret 22_2_004022E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00403AF6 push 00000065h; iretd 22_2_00403AF9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_0040270F push ecx; iretd 22_2_00402710
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00404F18 push EC848FC5h; ret 22_2_00404F1D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00405B8A push ebx; retf 22_2_00405B8C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_00404DA6 push cs; iretd 22_2_00404DAF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8CD0D1 push ecx; ret 22_2_6A8CD0E4
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Code function: 26_2_00D06F22 push ss; ret 26_2_00D06F63
Source: initial sample Static PE information: section name: .text entropy: 7.83702525454
Source: initial sample Static PE information: section name: .text entropy: 7.65390622203
Source: initial sample Static PE information: section name: .text entropy: 7.83702525454
Source: initial sample Static PE information: section name: .text entropy: 6.85305507137
Source: initial sample Static PE information: section name: .text entropy: 7.83702525454
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8AAE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\srndix.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe File created: C:\Users\user\AppData\Local\Temp\D8E6.tmp Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\84F0.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8D20.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8F34.exe Jump to dropped file
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Roaming\Onedrives.exe Jump to dropped file
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\qicqii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\okjnek.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File created: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9CA4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File created: C:\Users\user\AppData\Local\Temp\tbjvcq.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Onedrives.exe File created: C:\Users\user\AppData\Local\Temp\Onedrives.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\910A.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\fstdhrc Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\fstdhrc Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330710365.00000000065C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.497377287.0000000003135000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291845691.00000000029B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.490436569.0000000003083000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330330021.0000000001593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291750810.0000000002944000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.495365261.00000000030D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rSYbV3jx0K.exe PID: 5268, type: MEMORY
Source: Yara match File source: Process Memory Space: Onedrives.exe PID: 6416, type: MEMORY
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.unpack, type: UNPACKEDPE
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle, 6_2_00401306
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Onedrives Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Onedrives Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\fstdhrc:Zone.Identifier read attributes | delete
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00408E31
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Key value created or modified: HKEY_CURRENT_USER\Software\278B0507D7CD5CABBCF1 4E47C429C681B3A23CF9BF8CDF60CAB79FBEDDB88B39B406A61CE21097DD7FE6 Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330710365.00000000065C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.497377287.0000000003135000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291845691.00000000029B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.490436569.0000000003083000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330330021.0000000001593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291750810.0000000002944000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.495365261.00000000030D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rSYbV3jx0K.exe PID: 5268, type: MEMORY
Source: Yara match File source: Process Memory Space: Onedrives.exe PID: 6416, type: MEMORY
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.unpack, type: UNPACKEDPE
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Renames NTDLL to bypass HIPS
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe File opened: C:\Windows\SysWOW64\ntdll.dll
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe File opened: C:\Windows\SysWOW64\ntdll.dll
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rSYbV3jx0K.exe, 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.490436569.0000000003083000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLDSELECT * FROM WIN32_COMPUTERSYSTEM
Source: rSYbV3jx0K.exe, 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp, Onedrives.exe, 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Btwgyizzspfr.exe, 00000016.00000002.442337121.00000000005E0000.00000004.00000001.sdmp Binary or memory string: ASWHOOK
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A6B90 rdtsc 22_2_6A8A6B90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Window / User API: threadDelayed 4116 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Window / User API: threadDelayed 5153 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3632
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3504
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 540
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8AAE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\srndix.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\84F0.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8D20.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8F34.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qicqii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\okjnek.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9CA4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tbjvcq.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\910A.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe TID: 5992 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe TID: 5804 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe TID: 6668 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe TID: 6676 Thread sleep count: 4116 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe TID: 6676 Thread sleep count: 5153 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 752 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\Onedrives.exe TID: 6472 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Onedrives.exe TID: 6444 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7164 Thread sleep count: 158 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 488 Thread sleep count: 63 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5756 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 0000001B.00000000.351926801.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001B.00000000.351926801.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: rSYbV3jx0K.exe, 00000011.00000003.380805099.00000000065C0000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: rSYbV3jx0K.exe, 00000000.00000002.293786142.0000000004E00000.00000002.00000001.sdmp, Onedrives.exe, 0000001A.00000002.510845349.00000000055C0000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000000.350155166.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001B.00000000.351266075.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Onedrives.exe, 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp Binary or memory string: vmware
Source: rSYbV3jx0K.exe, 00000011.00000003.344083698.00000000015C0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,{
Source: rSYbV3jx0K.exe, 00000011.00000003.368892745.00000000015C0000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}392}n
Source: rSYbV3jx0K.exe, 00000011.00000003.344083698.00000000015C0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001B.00000000.337240395.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000001B.00000000.351926801.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000001B.00000000.351926801.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001B.00000000.337368056.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: rSYbV3jx0K.exe, 00000000.00000002.293786142.0000000004E00000.00000002.00000001.sdmp, Onedrives.exe, 0000001A.00000002.510845349.00000000055C0000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000000.350155166.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rSYbV3jx0K.exe, 00000000.00000002.293786142.0000000004E00000.00000002.00000001.sdmp, Onedrives.exe, 0000001A.00000002.510845349.00000000055C0000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000000.350155166.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rSYbV3jx0K.exe, 00000000.00000002.291164624.0000000000C9B000.00000004.00000020.sdmp, Onedrives.exe, 0000001A.00000002.470656836.0000000001456000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rSYbV3jx0K.exe, 00000000.00000002.293786142.0000000004E00000.00000002.00000001.sdmp, Onedrives.exe, 0000001A.00000002.510845349.00000000055C0000.00000002.00000001.sdmp, explorer.exe, 0000001B.00000000.350155166.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe System information queried: ModuleInformation
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe System information queried: CodeIntegrityInformation
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A6B90 rdtsc 22_2_6A8A6B90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B98C0 ZwDuplicateObject,LdrInitializeThunk, 22_2_6A8B98C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040289F
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AD294 mov eax, dword ptr fs:[00000030h] 22_2_6A8AD294
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AD294 mov eax, dword ptr fs:[00000030h] 22_2_6A8AD294
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 mov eax, dword ptr fs:[00000030h] 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 mov eax, dword ptr fs:[00000030h] 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 mov eax, dword ptr fs:[00000030h] 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 mov eax, dword ptr fs:[00000030h] 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8752A5 mov eax, dword ptr fs:[00000030h] 22_2_6A8752A5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A871AA0 mov eax, dword ptr fs:[00000030h] 22_2_6A871AA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A5AA0 mov eax, dword ptr fs:[00000030h] 22_2_6A8A5AA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A5AA0 mov eax, dword ptr fs:[00000030h] 22_2_6A8A5AA0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A12BD mov esi, dword ptr fs:[00000030h] 22_2_6A8A12BD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A12BD mov eax, dword ptr fs:[00000030h] 22_2_6A8A12BD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A12BD mov eax, dword ptr fs:[00000030h] 22_2_6A8A12BD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875AC0 mov eax, dword ptr fs:[00000030h] 22_2_6A875AC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875AC0 mov eax, dword ptr fs:[00000030h] 22_2_6A875AC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875AC0 mov eax, dword ptr fs:[00000030h] 22_2_6A875AC0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948ADD mov eax, dword ptr fs:[00000030h] 22_2_6A948ADD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873ACA mov eax, dword ptr fs:[00000030h] 22_2_6A873ACA
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934AEF mov eax, dword ptr fs:[00000030h] 22_2_6A934AEF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A888A0A mov eax, dword ptr fs:[00000030h] 22_2_6A888A0A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A893A1C mov eax, dword ptr fs:[00000030h] 22_2_6A893A1C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875210 mov eax, dword ptr fs:[00000030h] 22_2_6A875210
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875210 mov ecx, dword ptr fs:[00000030h] 22_2_6A875210
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875210 mov eax, dword ptr fs:[00000030h] 22_2_6A875210
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875210 mov eax, dword ptr fs:[00000030h] 22_2_6A875210
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A229 mov eax, dword ptr fs:[00000030h] 22_2_6A89A229
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874A20 mov eax, dword ptr fs:[00000030h] 22_2_6A874A20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874A20 mov eax, dword ptr fs:[00000030h] 22_2_6A874A20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8FEA20 mov eax, dword ptr fs:[00000030h] 22_2_6A8FEA20
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A878239 mov eax, dword ptr fs:[00000030h] 22_2_6A878239
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A878239 mov eax, dword ptr fs:[00000030h] 22_2_6A878239
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A878239 mov eax, dword ptr fs:[00000030h] 22_2_6A878239
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872240 mov ecx, dword ptr fs:[00000030h] 22_2_6A872240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872240 mov eax, dword ptr fs:[00000030h] 22_2_6A872240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879240 mov eax, dword ptr fs:[00000030h] 22_2_6A879240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879240 mov eax, dword ptr fs:[00000030h] 22_2_6A879240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879240 mov eax, dword ptr fs:[00000030h] 22_2_6A879240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879240 mov eax, dword ptr fs:[00000030h] 22_2_6A879240
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A904257 mov eax, dword ptr fs:[00000030h] 22_2_6A904257
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A904248 mov eax, dword ptr fs:[00000030h] 22_2_6A904248
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B927A mov eax, dword ptr fs:[00000030h] 22_2_6A8B927A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92B260 mov eax, dword ptr fs:[00000030h] 22_2_6A92B260
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92B260 mov eax, dword ptr fs:[00000030h] 22_2_6A92B260
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948A62 mov eax, dword ptr fs:[00000030h] 22_2_6A948A62
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874B94 mov edi, dword ptr fs:[00000030h] 22_2_6A874B94
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93138A mov eax, dword ptr fs:[00000030h] 22_2_6A93138A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A91EB8A mov ecx, dword ptr fs:[00000030h] 22_2_6A91EB8A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A91EB8A mov eax, dword ptr fs:[00000030h] 22_2_6A91EB8A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A91EB8A mov eax, dword ptr fs:[00000030h] 22_2_6A91EB8A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A91EB8A mov eax, dword ptr fs:[00000030h] 22_2_6A91EB8A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948BB6 mov eax, dword ptr fs:[00000030h] 22_2_6A948BB6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4BAD mov eax, dword ptr fs:[00000030h] 22_2_6A8A4BAD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4BAD mov eax, dword ptr fs:[00000030h] 22_2_6A8A4BAD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4BAD mov eax, dword ptr fs:[00000030h] 22_2_6A8A4BAD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A949BBE mov eax, dword ptr fs:[00000030h] 22_2_6A949BBE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931BA8 mov eax, dword ptr fs:[00000030h] 22_2_6A931BA8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89DBE9 mov eax, dword ptr fs:[00000030h] 22_2_6A89DBE9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A871BE9 mov eax, dword ptr fs:[00000030h] 22_2_6A871BE9
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8723F6 mov eax, dword ptr fs:[00000030h] 22_2_6A8723F6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9223E3 mov ecx, dword ptr fs:[00000030h] 22_2_6A9223E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9223E3 mov ecx, dword ptr fs:[00000030h] 22_2_6A9223E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9223E3 mov eax, dword ptr fs:[00000030h] 22_2_6A9223E3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A309 mov eax, dword ptr fs:[00000030h] 22_2_6A89A309
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93131B mov eax, dword ptr fs:[00000030h] 22_2_6A93131B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A904320 mov eax, dword ptr fs:[00000030h] 22_2_6A904320
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F340 mov eax, dword ptr fs:[00000030h] 22_2_6A87F340
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948B58 mov eax, dword ptr fs:[00000030h] 22_2_6A948B58
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B5A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B5A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B5A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B5A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B5A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B5A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B5A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B5A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B7A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B7A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3B7A mov eax, dword ptr fs:[00000030h] 22_2_6A8A3B7A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873880 mov eax, dword ptr fs:[00000030h] 22_2_6A873880
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873880 mov eax, dword ptr fs:[00000030h] 22_2_6A873880
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B90AF mov eax, dword ptr fs:[00000030h] 22_2_6A8B90AF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov eax, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov eax, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov eax, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov ecx, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov eax, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828AE mov eax, dword ptr fs:[00000030h] 22_2_6A8828AE
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AF0BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8AF0BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AF0BF mov eax, dword ptr fs:[00000030h] 22_2_6A8AF0BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AF0BF mov eax, dword ptr fs:[00000030h] 22_2_6A8AF0BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8770C0 mov eax, dword ptr fs:[00000030h] 22_2_6A8770C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8770C0 mov eax, dword ptr fs:[00000030h] 22_2_6A8770C0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8740E1 mov eax, dword ptr fs:[00000030h] 22_2_6A8740E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8740E1 mov eax, dword ptr fs:[00000030h] 22_2_6A8740E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8740E1 mov eax, dword ptr fs:[00000030h] 22_2_6A8740E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8758EC mov eax, dword ptr fs:[00000030h] 22_2_6A8758EC
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B8E4 mov eax, dword ptr fs:[00000030h] 22_2_6A89B8E4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B8E4 mov eax, dword ptr fs:[00000030h] 22_2_6A89B8E4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828FD mov eax, dword ptr fs:[00000030h] 22_2_6A8828FD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828FD mov eax, dword ptr fs:[00000030h] 22_2_6A8828FD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8828FD mov eax, dword ptr fs:[00000030h] 22_2_6A8828FD
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A944015 mov eax, dword ptr fs:[00000030h] 22_2_6A944015
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A944015 mov eax, dword ptr fs:[00000030h] 22_2_6A944015
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876800 mov eax, dword ptr fs:[00000030h] 22_2_6A876800
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876800 mov eax, dword ptr fs:[00000030h] 22_2_6A876800
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876800 mov eax, dword ptr fs:[00000030h] 22_2_6A876800
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A888800 mov eax, dword ptr fs:[00000030h] 22_2_6A888800
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94F019 mov eax, dword ptr fs:[00000030h] 22_2_6A94F019
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94F019 mov eax, dword ptr fs:[00000030h] 22_2_6A94F019
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F018 mov eax, dword ptr fs:[00000030h] 22_2_6A87F018
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F018 mov eax, dword ptr fs:[00000030h] 22_2_6A87F018
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4020 mov edi, dword ptr fs:[00000030h] 22_2_6A8A4020
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A830 mov eax, dword ptr fs:[00000030h] 22_2_6A89A830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A830 mov eax, dword ptr fs:[00000030h] 22_2_6A89A830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A830 mov eax, dword ptr fs:[00000030h] 22_2_6A89A830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89A830 mov eax, dword ptr fs:[00000030h] 22_2_6A89A830
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A877055 mov eax, dword ptr fs:[00000030h] 22_2_6A877055
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875050 mov eax, dword ptr fs:[00000030h] 22_2_6A875050
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875050 mov eax, dword ptr fs:[00000030h] 22_2_6A875050
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A875050 mov eax, dword ptr fs:[00000030h] 22_2_6A875050
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A932073 mov eax, dword ptr fs:[00000030h] 22_2_6A932073
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A941074 mov eax, dword ptr fs:[00000030h] 22_2_6A941074
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89F86D mov eax, dword ptr fs:[00000030h] 22_2_6A89F86D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89C182 mov eax, dword ptr fs:[00000030h] 22_2_6A89C182
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AA185 mov eax, dword ptr fs:[00000030h] 22_2_6A8AA185
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87519E mov eax, dword ptr fs:[00000030h] 22_2_6A87519E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87519E mov ecx, dword ptr fs:[00000030h] 22_2_6A87519E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93A189 mov eax, dword ptr fs:[00000030h] 22_2_6A93A189
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93A189 mov ecx, dword ptr fs:[00000030h] 22_2_6A93A189
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4190 mov eax, dword ptr fs:[00000030h] 22_2_6A8A4190
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A61A0 mov eax, dword ptr fs:[00000030h] 22_2_6A8A61A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A61A0 mov eax, dword ptr fs:[00000030h] 22_2_6A8A61A0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov eax, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov eax, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov eax, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov ecx, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8999BF mov eax, dword ptr fs:[00000030h] 22_2_6A8999BF
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9349A4 mov eax, dword ptr fs:[00000030h] 22_2_6A9349A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9349A4 mov eax, dword ptr fs:[00000030h] 22_2_6A9349A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9349A4 mov eax, dword ptr fs:[00000030h] 22_2_6A9349A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9349A4 mov eax, dword ptr fs:[00000030h] 22_2_6A9349A4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6A87B1E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6A87B1E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B1E1 mov eax, dword ptr fs:[00000030h] 22_2_6A87B1E1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8731E0 mov eax, dword ptr fs:[00000030h] 22_2_6A8731E0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9489E7 mov eax, dword ptr fs:[00000030h] 22_2_6A9489E7
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9041E8 mov eax, dword ptr fs:[00000030h] 22_2_6A9041E8
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879100 mov eax, dword ptr fs:[00000030h] 22_2_6A879100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879100 mov eax, dword ptr fs:[00000030h] 22_2_6A879100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A879100 mov eax, dword ptr fs:[00000030h] 22_2_6A879100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A880100 mov eax, dword ptr fs:[00000030h] 22_2_6A880100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A880100 mov eax, dword ptr fs:[00000030h] 22_2_6A880100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A880100 mov eax, dword ptr fs:[00000030h] 22_2_6A880100
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 mov eax, dword ptr fs:[00000030h] 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 mov eax, dword ptr fs:[00000030h] 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 mov eax, dword ptr fs:[00000030h] 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 mov eax, dword ptr fs:[00000030h] 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A894120 mov ecx, dword ptr fs:[00000030h] 22_2_6A894120
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A513A mov eax, dword ptr fs:[00000030h] 22_2_6A8A513A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A513A mov eax, dword ptr fs:[00000030h] 22_2_6A8A513A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873138 mov ecx, dword ptr fs:[00000030h] 22_2_6A873138
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B944 mov eax, dword ptr fs:[00000030h] 22_2_6A89B944
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B944 mov eax, dword ptr fs:[00000030h] 22_2_6A89B944
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87395E mov eax, dword ptr fs:[00000030h] 22_2_6A87395E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87395E mov eax, dword ptr fs:[00000030h] 22_2_6A87395E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93E962 mov eax, dword ptr fs:[00000030h] 22_2_6A93E962
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948966 mov eax, dword ptr fs:[00000030h] 22_2_6A948966
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B171 mov eax, dword ptr fs:[00000030h] 22_2_6A87B171
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87B171 mov eax, dword ptr fs:[00000030h] 22_2_6A87B171
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873E80 mov eax, dword ptr fs:[00000030h] 22_2_6A873E80
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873E80 mov eax, dword ptr fs:[00000030h] 22_2_6A873E80
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADE9E mov eax, dword ptr fs:[00000030h] 22_2_6A8ADE9E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADE9E mov eax, dword ptr fs:[00000030h] 22_2_6A8ADE9E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADE9E mov eax, dword ptr fs:[00000030h] 22_2_6A8ADE9E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F46A7 mov eax, dword ptr fs:[00000030h] 22_2_6A8F46A7
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A902EA3 mov eax, dword ptr fs:[00000030h] 22_2_6A902EA3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948ED6 mov eax, dword ptr fs:[00000030h] 22_2_6A948ED6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A36CC mov eax, dword ptr fs:[00000030h] 22_2_6A8A36CC
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A16E0 mov ecx, dword ptr fs:[00000030h] 22_2_6A8A16E0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B3EE4 mov eax, dword ptr fs:[00000030h] 22_2_6A8B3EE4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B3EE4 mov eax, dword ptr fs:[00000030h] 22_2_6A8B3EE4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B3EE4 mov eax, dword ptr fs:[00000030h] 22_2_6A8B3EE4
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A902E14 mov eax, dword ptr fs:[00000030h] 22_2_6A902E14
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87C600 mov eax, dword ptr fs:[00000030h] 22_2_6A87C600
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87C600 mov eax, dword ptr fs:[00000030h] 22_2_6A87C600
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87C600 mov eax, dword ptr fs:[00000030h] 22_2_6A87C600
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B0E21 mov eax, dword ptr fs:[00000030h] 22_2_6A8B0E21
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8F5623 mov eax, dword ptr fs:[00000030h] 22_2_6A8F5623
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FE3F mov eax, dword ptr fs:[00000030h] 22_2_6A92FE3F
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87A63B mov eax, dword ptr fs:[00000030h] 22_2_6A87A63B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87A63B mov eax, dword ptr fs:[00000030h] 22_2_6A87A63B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A3E70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A3E70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov ecx, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872FB0 mov eax, dword ptr fs:[00000030h] 22_2_6A872FB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873FC5 mov eax, dword ptr fs:[00000030h] 22_2_6A873FC5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873FC5 mov eax, dword ptr fs:[00000030h] 22_2_6A873FC5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873FC5 mov eax, dword ptr fs:[00000030h] 22_2_6A873FC5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A37EB mov eax, dword ptr fs:[00000030h] 22_2_6A8A37EB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B37F5 mov eax, dword ptr fs:[00000030h] 22_2_6A8B37F5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A90FF10 mov eax, dword ptr fs:[00000030h] 22_2_6A90FF10
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A90FF10 mov eax, dword ptr fs:[00000030h] 22_2_6A90FF10
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4710 mov eax, dword ptr fs:[00000030h] 22_2_6A8A4710
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89F716 mov eax, dword ptr fs:[00000030h] 22_2_6A89F716
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874F2E mov eax, dword ptr fs:[00000030h] 22_2_6A874F2E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874F2E mov eax, dword ptr fs:[00000030h] 22_2_6A874F2E
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B73D mov eax, dword ptr fs:[00000030h] 22_2_6A89B73D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89B73D mov eax, dword ptr fs:[00000030h] 22_2_6A89B73D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876730 mov eax, dword ptr fs:[00000030h] 22_2_6A876730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876730 mov eax, dword ptr fs:[00000030h] 22_2_6A876730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A876730 mov eax, dword ptr fs:[00000030h] 22_2_6A876730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AE730 mov eax, dword ptr fs:[00000030h] 22_2_6A8AE730
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87A745 mov eax, dword ptr fs:[00000030h] 22_2_6A87A745
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ADF4C mov eax, dword ptr fs:[00000030h] 22_2_6A8ADF4C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89E760 mov eax, dword ptr fs:[00000030h] 22_2_6A89E760
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89E760 mov eax, dword ptr fs:[00000030h] 22_2_6A89E760
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A2F70 mov eax, dword ptr fs:[00000030h] 22_2_6A8A2F70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948F6A mov eax, dword ptr fs:[00000030h] 22_2_6A948F6A
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A934496 mov eax, dword ptr fs:[00000030h] 22_2_6A934496
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A871480 mov eax, dword ptr fs:[00000030h] 22_2_6A871480
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87649B mov eax, dword ptr fs:[00000030h] 22_2_6A87649B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87649B mov eax, dword ptr fs:[00000030h] 22_2_6A87649B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A949CB3 mov eax, dword ptr fs:[00000030h] 22_2_6A949CB3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874CB0 mov eax, dword ptr fs:[00000030h] 22_2_6A874CB0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948CD6 mov eax, dword ptr fs:[00000030h] 22_2_6A948CD6
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A872CDB mov eax, dword ptr fs:[00000030h] 22_2_6A872CDB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A9314FB mov eax, dword ptr fs:[00000030h] 22_2_6A9314FB
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948C14 mov eax, dword ptr fs:[00000030h] 22_2_6A948C14
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC01 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC01
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC01 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC01
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC01 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC01
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC01 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC01
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A931C06 mov eax, dword ptr fs:[00000030h] 22_2_6A931C06
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94740D mov eax, dword ptr fs:[00000030h] 22_2_6A94740D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94740D mov eax, dword ptr fs:[00000030h] 22_2_6A94740D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A94740D mov eax, dword ptr fs:[00000030h] 22_2_6A94740D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8ABC2C mov eax, dword ptr fs:[00000030h] 22_2_6A8ABC2C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A874439 mov eax, dword ptr fs:[00000030h] 22_2_6A874439
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948450 mov eax, dword ptr fs:[00000030h] 22_2_6A948450
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948C75 mov eax, dword ptr fs:[00000030h] 22_2_6A948C75
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89746D mov eax, dword ptr fs:[00000030h] 22_2_6A89746D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AAC7B mov eax, dword ptr fs:[00000030h] 22_2_6A8AAC7B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B5C70 mov eax, dword ptr fs:[00000030h] 22_2_6A8B5C70
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC77 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC77
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC77 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC77
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC77 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC77
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A88FC77 mov eax, dword ptr fs:[00000030h] 22_2_6A88FC77
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93B581 mov eax, dword ptr fs:[00000030h] 22_2_6A93B581
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93B581 mov eax, dword ptr fs:[00000030h] 22_2_6A93B581
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93B581 mov eax, dword ptr fs:[00000030h] 22_2_6A93B581
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A93B581 mov eax, dword ptr fs:[00000030h] 22_2_6A93B581
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A873591 mov eax, dword ptr fs:[00000030h] 22_2_6A873591
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A35A1 mov eax, dword ptr fs:[00000030h] 22_2_6A8A35A1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1DB5 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1DB5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1DB5 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1DB5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1DB5 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1DB5
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A92FDD3 mov eax, dword ptr fs:[00000030h] 22_2_6A92FDD3
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8715C1 mov eax, dword ptr fs:[00000030h] 22_2_6A8715C1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A928DF1 mov eax, dword ptr fs:[00000030h] 22_2_6A928DF1
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A95EC mov eax, dword ptr fs:[00000030h] 22_2_6A8A95EC
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8795F0 mov eax, dword ptr fs:[00000030h] 22_2_6A8795F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8795F0 mov ecx, dword ptr fs:[00000030h] 22_2_6A8795F0
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A933518 mov eax, dword ptr fs:[00000030h] 22_2_6A933518
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A933518 mov eax, dword ptr fs:[00000030h] 22_2_6A933518
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A933518 mov eax, dword ptr fs:[00000030h] 22_2_6A933518
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87F51D mov eax, dword ptr fs:[00000030h] 22_2_6A87F51D
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A948D34 mov eax, dword ptr fs:[00000030h] 22_2_6A948D34
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A1520 mov eax, dword ptr fs:[00000030h] 22_2_6A8A1520
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4D3B mov eax, dword ptr fs:[00000030h] 22_2_6A8A4D3B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4D3B mov eax, dword ptr fs:[00000030h] 22_2_6A8A4D3B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8A4D3B mov eax, dword ptr fs:[00000030h] 22_2_6A8A4D3B
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87AD30 mov eax, dword ptr fs:[00000030h] 22_2_6A87AD30
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8B3D43 mov eax, dword ptr fs:[00000030h] 22_2_6A8B3D43
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87354C mov eax, dword ptr fs:[00000030h] 22_2_6A87354C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A87354C mov eax, dword ptr fs:[00000030h] 22_2_6A87354C
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A923D40 mov eax, dword ptr fs:[00000030h] 22_2_6A923D40
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A897D50 mov eax, dword ptr fs:[00000030h] 22_2_6A897D50
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89C577 mov eax, dword ptr fs:[00000030h] 22_2_6A89C577
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A89C577 mov eax, dword ptr fs:[00000030h] 22_2_6A89C577
Enables debug privileges
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: fstdhrc.27.dr Jump to dropped file
Adds a directory exclusion to Windows Defender
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe' Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory allocated: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 400000 protect: page execute and read and write Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Thread created: C:\Windows\explorer.exe EIP: 14D18D0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Memory written: unknown base: 400000 value starts with: 4D5A
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 40E000 Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 410000 Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Memory written: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe base: 1001008 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError, 6_2_00401C26
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\zEyverccjl.vbs' Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eyverccjl.vbs' Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Process created: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5308 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 5736 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\,'C:\Users\user\AppData\Roaming\Onedrives.exe' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe 'C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\srndix.exe'' & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath ''C:\Users\user\AppData\Local\Temp\tbjvcq.exe''
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe Code function: 22_2_6A8AE730 RtlDecodePointer,ZwQueryInformationProcess,RtlRaiseStatus,RtlAllocateAndInitializeSid,RtlAllocateHeap,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid,RtlAllocateAndInitializeSid, 22_2_6A8AE730
Source: explorer.exe, 0000001B.00000000.309439100.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: rSYbV3jx0K.exe, 00000011.00000003.316647865.0000000006556000.00000004.00000001.sdmp, explorer.exe, 0000001B.00000000.310483776.0000000001980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000001B.00000000.310483776.0000000001980000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001B.00000000.310483776.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001B.00000000.310483776.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Queries volume information: C:\Users\user\Desktop\rSYbV3jx0K.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Queries volume information: C:\Users\user\AppData\Roaming\Onedrives.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Queries volume information: C:\Users\user\AppData\Roaming\Onedrives.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Onedrives.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe Code function: 6_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread, 6_2_0040A272
Source: C:\Users\user\Desktop\rSYbV3jx0K.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000000.00000002.291799485.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330710365.00000000065C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291864007.00000000029D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.498353939.0000000003159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.497377287.0000000003135000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291845691.00000000029B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.490436569.0000000003083000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.330330021.0000000001593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.291750810.0000000002944000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.495365261.00000000030D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rSYbV3jx0K.exe PID: 5268, type: MEMORY
Source: Yara match File source: Process Memory Space: Onedrives.exe PID: 6416, type: MEMORY
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.315dc38.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3169044.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.2958248.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.31457ac.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29ddb9c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Onedrives.exe.3093b24.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29e8fa8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rSYbV3jx0K.exe.29c5710.3.unpack, type: UNPACKEDPE
AV process strings found (often used to terminate AV products)
Source: rSYbV3jx0K.exe, 00000011.00000003.316647865.0000000006556000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\rSYbV3jx0K.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information:

barindex
Yara detected SmokeLoader
Source: Yara match File source: C:\Users\user\AppData\Roaming\fstdhrc, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: dropped/Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: 22.0.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected SmokeLoader
Source: Yara match File source: C:\Users\user\AppData\Roaming\fstdhrc, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: dropped/Btwgyizzspfr.exe, type: DROPPED
Source: Yara match File source: 22.0.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Btwgyizzspfr.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400708 Sample: rSYbV3jx0K.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 98 greenco2020.top 2->98 100 cdn.discordapp.com 2->100 134 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->134 136 Found malware configuration 2->136 138 Antivirus detection for dropped file 2->138 140 12 other signatures 2->140 11 rSYbV3jx0K.exe 19 12 2->11         started        16 Onedrives.exe 2->16         started        signatures3 process4 dnsIp5 114 www.yoursite.com 172.67.133.191, 443, 49713, 49714 CLOUDFLARENETUS United States 11->114 116 yoursite.com 11->116 78 C:\Users\user\AppData\Roaming\Onedrives.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\...\rSYbV3jx0K.exe, PE32 11->80 dropped 82 C:\Users\...\Onedrives.exe:Zone.Identifier, ASCII 11->82 dropped 86 2 other malicious files 11->86 dropped 150 Writes to foreign memory regions 11->150 152 Allocates memory in foreign processes 11->152 154 Injects a PE file into a foreign processes 11->154 18 wscript.exe 1 11->18         started        20 rSYbV3jx0K.exe 1 7 11->20         started        25 wscript.exe 1 11->25         started        29 2 other processes 11->29 118 yoursite.com 16->118 84 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->84 dropped 156 Machine Learning detection for dropped file 16->156 27 AdvancedRun.exe 16->27         started        file6 signatures7 process8 dnsIp9 31 Btwgyizzspfr.exe 18->31         started        102 193.142.146.202, 49732, 49738, 8808 HOSTSLICK-GERMANYNL Netherlands 20->102 104 pastebin.com 104.23.99.190, 443, 49731 CLOUDFLARENETUS United States 20->104 106 192.168.2.1 unknown unknown 20->106 64 C:\Users\user\AppData\Local\Temp\tbjvcq.exe, PE32 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\qicqii.exe, PE32 20->66 dropped 68 C:\Users\user\AppData\Local\Temp\okjnek.exe, PE32 20->68 dropped 70 C:\Users\user\AppData\Local\Temp\srndix.exe, PE32+ 20->70 dropped 142 Machine Learning detection for dropped file 20->142 35 cmd.exe 20->35         started        37 cmd.exe 20->37         started        144 Wscript starts Powershell (via cmd or directly) 25->144 146 Adds a directory exclusion to Windows Defender 25->146 39 powershell.exe 25->39         started        41 AdvancedRun.exe 29->41         started        43 AdvancedRun.exe 29->43         started        file10 signatures11 process12 file13 96 C:\Users\user\AppData\Local\Temp\D8E6.tmp, PE32 31->96 dropped 120 Antivirus detection for dropped file 31->120 122 Multi AV Scanner detection for dropped file 31->122 124 Machine Learning detection for dropped file 31->124 132 5 other signatures 31->132 45 explorer.exe 31->45 injected 126 Suspicious powershell command line found 35->126 128 Wscript starts Powershell (via cmd or directly) 35->128 130 Bypasses PowerShell execution policy 35->130 49 conhost.exe 35->49         started        51 powershell.exe 35->51         started        53 conhost.exe 37->53         started        55 conhost.exe 39->55         started        signatures14 process15 file16 88 C:\Users\user\AppData\Roaming\fstdhrc, PE32 45->88 dropped 90 C:\Users\user\AppData\Local\Temp\9CA4.exe, PE32 45->90 dropped 92 C:\Users\user\AppData\Local\Temp\910A.exe, PE32 45->92 dropped 94 4 other malicious files 45->94 dropped 158 Benign windows process drops PE files 45->158 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->160 57 Onedrives.exe 45->57         started        signatures17 process18 dnsIp19 108 104.21.14.15, 443, 49737 CLOUDFLARENETUS United States 57->108 110 yoursite.com 57->110 112 www.yoursite.com 57->112 72 C:\Users\user\AppData\Local\...\Onedrives.exe, PE32 57->72 dropped 74 C:\Users\user\AppData\...\Btwgyizzspfr.exe, PE32 57->74 dropped 76 C:\Users\...\Onedrives.exe:Zone.Identifier, ASCII 57->76 dropped 148 Injects a PE file into a foreign processes 57->148 62 AdvancedRun.exe 57->62         started        file20 signatures21 process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.23.99.190
pastebin.com United States
13335 CLOUDFLARENETUS false
104.21.14.15
unknown United States
13335 CLOUDFLARENETUS false
172.67.133.191
yoursite.com United States
13335 CLOUDFLARENETUS false
193.142.146.202
unknown Netherlands
208046 HOSTSLICK-GERMANYNL true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
yoursite.com 172.67.133.191 true
cdn.discordapp.com 162.159.129.233 true
www.yoursite.com 172.67.133.191 true
greenco2020.top 104.21.29.79 true
pastebin.com 104.23.99.190 true