Windows Analysis Report
Uredospore8.exe

Overview

General Information

Sample name: Uredospore8.exe
Analysis ID: 1501381
MD5: 50c7ce412d99eb4769411d6b60a34ac6
SHA1: 551d077916a61780fb055f6e3b27c0f2ba4d3378
SHA256: 446156cab04d4f29ecee92429d9cba29e4403be17b677e74cde58e39e6487f20
Tags: exe
Infos:

Detection

Tinba
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Tinba Banker
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hooks files or directories query functions (used to hide files and directories)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Monitors registry run keys for changes
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Tinba F-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.Tinba may also display socially-usered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Uredospore8.exe Avira: detected
Antivirus detection for URL or domain
Source: http://lkebgoxdejyq.com/preview/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Avira: detection malicious, Label: HEUR/AGEN.1335517
Multi AV Scanner detection for submitted file
Source: Uredospore8.exe ReversingLabs: Detection: 86%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Uredospore8.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D42ECB CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, 3_2_00D42ECB
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D42DF8 CryptStringToBinaryA,CryptDecodeObjectEx,CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, 3_2_00D42DF8
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02142ECB CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, 30_2_02142ECB
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02142DF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, 30_2_02142DF8
Source: Uredospore8.exe Binary or memory string: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmKi9USd5qfAHO0EI7HVn RXX0UcpbQND9ufeTiNDdczkNZpvBWGqhwf9oPhq2VxGViSxK0b5FlXpKjlIf5w4S R2QDA7WsYcK65UQL9jl3zO52NqUXMBo0K3xEFpp3eAdJ2l73JrMRk+zcnOgXelAF A1L5nbioOBTcTNvaTqHeDTU5aeqyp/0edQ
Uses 32bit PE files
Source: Uredospore8.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TbOpfOXygan.exe, 00000024.00000002.3341937192.000000000018E000.00000002.00000001.01000000.00000008.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2020418 - Severity 1 - ET MALWARE Tinba Checkin 2 : 192.168.2.6:49711 -> 216.218.185.162:80
Source: Network traffic Suricata IDS: 2024659 - Severity 1 - ET MALWARE [PTsecurity] Tinba Checkin 4 : 192.168.2.6:49711 -> 216.218.185.162:80
Source: Network traffic Suricata IDS: 2830613 - Severity 1 - ETPRO MALWARE W32/Chthonic CnC Activity : 192.168.2.6:49711 -> 216.218.185.162:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /preview/ HTTP/1.0Host: lkebgoxdejyq.comContent-Length: 157Data Raw: 18 1a 83 d8 90 1d 83 d8 e8 5e 57 53 1e 18 82 fb 28 2a b3 e8 28 2a b3 ee Data Ascii: ^WS(*(*
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 216.218.185.162 216.218.185.162
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HURRICANEUS HURRICANEUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1696488253X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581DX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900C4F3X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-cX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D43084 send,send,recv,closesocket, 3_2_00D43084
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: lkebgoxdejyq.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900C4F3X-BM-CBT: 1696488253X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 1D6F504B5A5A465DBDB84F31C63A581DX-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900C4F3X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshldspcl40,msbdsborgv2co,msbwdsbi920cf,optfsth3,premsbdsbchtupcf,wsbfixcachec,wsbqfasmsall_c,wsbqfminiserp_c,wsbref-cX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 516Connection: Keep-AliveCache-Control: no-cacheCookie: SRCHUID=V=2&GUID=CE2BE0509FF742BD822F50D98AD10391&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231005; SRCHHPGUSR=SRCHLANG=en&HV=1696488191&IPMH=5767d621&IPMID=1696488252989&LUT=1696487541024; CortanaAppUID=2020E25DAB158E420BA06F1C8DEF7959; MUID=81C61E09498D41CC97CDBBA354824ED1; _SS=SID=1D9FAF807E686D422B86BC217FC66C71&CPID=1696488253968&AC=1&CPH=071f2185; _EDGE_S=SID=1D9FAF807E686D422B86BC217FC66C71; MUIDB=81C61E09498D41CC97CDBBA354824ED1
Source: SearchApp.exe, 0000000D.00000000.2282517479.0000027A7E15E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRoot
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3379362084.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FAC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222070333.000001F697FA4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2282353557.0000027A7E0DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2282517479.0000027A7E15E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: SearchApp.exe, 0000000D.00000000.2282425797.0000027A7E134000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.live.com/Web/
Source: explorer.exe, 00000004.00000000.2194969646.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2194982780.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193205458.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.3372811032.000002C8A67C0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: explorer.exe, 00000004.00000003.2979250085.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979898080.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076151253.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076523652.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450962269.000000000C4BD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.comt
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D37C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: SearchApp.exe, 0000000D.00000000.2273444241.000002727D3A2000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2264186736.000002727C2B2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.activity.windows.com
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: svchost.exe, 00000006.00000002.3361155429.000001A798043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219337012.000001A798043000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.activity.windows.comP
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000000.2222215269.000001F698700000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3383112196.000001F698700000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com-
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.coms
Source: SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://fb.me/react-polyfills
Source: SearchApp.exe, 0000000D.00000000.2281804728.0000027A7DEF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://fb.me/react-polyfillsThis
Source: svchost.exe, 00000006.00000000.2219376900.000001A798065000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2300739349.0000027A8007D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284459655.0000027A7E313000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284459655.0000027A7E313000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.windows.local
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.windows.local/
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.windows.net
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.windows.net/
Source: SearchApp.exe, 0000000D.00000000.2274494136.0000027A7D51C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2301318078.0000027A80184000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://mths.be/fromcodepoint
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80982000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://ntp.msn.com/web-widget?form=M
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: SearchApp.exe, 0000000D.00000000.2325343319.0000027A916C8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/M365.Access394866fc-eedb-4f01-8536-3ff84b16be2a72f988bf-86f1-41af-91ab-2d
Source: SearchApp.exe, 0000000D.00000000.2318850916.0000027A91528000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.office.com/M365.AccessZ
Source: explorer.exe, 00000004.00000000.2198248903.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEMd
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcembere
Source: SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: SearchApp.exe, 0000000D.00000000.2329926503.0000027A91A9C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2302447567.0000027A80400000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2306685905.0000027A809C7000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2331674767.0000027A91B30000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office.com
Source: SearchApp.exe, 0000000D.00000000.2329609042.0000027A91A70000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office.com/M365.Access
Source: SearchApp.exe, 0000000D.00000000.2286028809.0000027A7E508000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite
Source: SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office.com/dsapi/v1.0/
Source: SearchApp.exe, 0000000D.00000000.2281866725.0000027A7DF30000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office.com/search/api651e5875e6d946c7adbf63b2ebc3ea64https://loki.delve.office.com
Source: SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A2C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://substrate.office365.us
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.2196219993.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000004.00000003.2980021268.000000000C354000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3450243606.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981054570.000000000C364000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981252114.000000000C374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076032675.000000000C377000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075818736.000000000C377000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/j
Source: StartMenuExperienceHost.exe, 0000000A.00000000.2237868953.00000275A062D000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000A.00000002.3413264410.00000275A062D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000003.2981503378.000000000C06D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981993470.000000000C086000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3447389765.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2198248903.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comM
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817"
Source: SearchApp.exe, 0000000D.00000000.2275895403.0000027A7D5E1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1"
Source: SearchApp.exe, 0000000D.00000000.2282936536.0000027A7E223000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/de-ch/play?ocid=winpsearchboxexpcta2&cgfrom=cg_dsb_seeMore"
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=w
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
Source: SearchApp.exe, 0000000D.00000000.2330801653.0000027A91ACA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2284822249.0000027A7E3D1000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
Source: explorer.exe, 00000004.00000002.3402298833.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 00000006.00000002.3364968286.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.2219449635.000001A7980AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xsts.auth.xboxlive.com/
Source: SearchApp.exe, 0000000D.00000000.2284398647.0000027A7E2F2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://xsts.auth.xboxlive.comwy
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Tinba Banker
Source: Yara match File source: Process Memory Space: winver.exe PID: 616, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Tinba Banker
Source: Yara match File source: Process Memory Space: winver.exe PID: 616, type: MEMORYSTR
Drops certificate files (DER)
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00700655 NtWriteVirtualMemory, 0_2_00700655
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_007005BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory, 0_2_007005BC
Source: C:\Windows\explorer.exe Code function: 4_2_00F822BA NtQueryDirectoryFile, 4_2_00F822BA
Source: C:\Windows\explorer.exe Code function: 4_2_00F8221B NtEnumerateValueKey, 4_2_00F8221B
Source: C:\Windows\explorer.exe Code function: 4_2_00F81F2B NtCreateUserProcess, 4_2_00F81F2B
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D0221B NtEnumerateValueKey, 5_2_00D0221B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C16C0 NtResumeThread, 19_2_001C16C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C15E4 NtCreateUserProcess, 19_2_001C15E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_02250655 NtWriteVirtualMemory, 19_2_02250655
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_022505BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory, 19_2_022505BC
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C16C0 NtResumeThread, 30_2_001C16C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C15E4 NtCreateUserProcess, 30_2_001C15E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02141636 NtCreateProcessEx, 30_2_02141636
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02141677 NtCreateThread, 30_2_02141677
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_021420BC NtEnumerateValueKey, 30_2_021420BC
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_021416C0 NtResumeThread, 30_2_021416C0
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_0214212E NtQueryDirectoryFile, 30_2_0214212E
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_021415E4 NtCreateUserProcess, 30_2_021415E4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02150655 NtWriteVirtualMemory, 30_2_02150655
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_021505BC ReadProcessMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory, 30_2_021505BC
Detected potential crypto function
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00401200 0_2_00401200
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004030C1 0_2_004030C1
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004030CD 0_2_004030CD
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004039A5 0_2_004039A5
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0005 2_2_006D0005
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0EEA 2_2_006D0EEA
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D188F 2_2_006D188F
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D40EC6 3_2_00D40EC6
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D4186B 3_2_00D4186B
Source: C:\Windows\explorer.exe Code function: 4_2_00F80EC6 4_2_00F80EC6
Source: C:\Windows\explorer.exe Code function: 4_2_00F8186B 4_2_00F8186B
Source: C:\Windows\explorer.exe Code function: 4_2_02DF0EC6 4_2_02DF0EC6
Source: C:\Windows\explorer.exe Code function: 4_2_02DF186B 4_2_02DF186B
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D00EC6 5_2_00D00EC6
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D0186B 5_2_00D0186B
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F00EC6 6_2_00F00EC6
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F0186B 6_2_00F0186B
Source: C:\Windows\System32\svchost.exe Code function: 7_2_0019186B 7_2_0019186B
Source: C:\Windows\System32\svchost.exe Code function: 7_2_00190EC6 7_2_00190EC6
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E0EC6 8_2_009E0EC6
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E186B 8_2_009E186B
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00840EC6 9_2_00840EC6
Source: C:\Windows\System32\svchost.exe Code function: 9_2_0084186B 9_2_0084186B
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE0EC6 10_2_00EE0EC6
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE186B 10_2_00EE186B
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A40EC6 11_2_00A40EC6
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A4186B 11_2_00A4186B
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_005F186B 15_2_005F186B
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_005F0EC6 15_2_005F0EC6
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 16_2_0053186B 16_2_0053186B
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 16_2_00530EC6 16_2_00530EC6
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 17_2_00820EC6 17_2_00820EC6
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 17_2_0082186B 17_2_0082186B
Source: C:\Windows\System32\smartscreen.exe Code function: 18_2_0025186B 18_2_0025186B
Source: C:\Windows\System32\smartscreen.exe Code function: 18_2_00250EC6 18_2_00250EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C186B 19_2_001C186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C0EC6 19_2_001C0EC6
Source: C:\Windows\System32\ApplicationFrameHost.exe Code function: 20_2_00930EC6 20_2_00930EC6
Source: C:\Windows\System32\ApplicationFrameHost.exe Code function: 20_2_0093186B 20_2_0093186B
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 22_2_0018186B 22_2_0018186B
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 22_2_00180EC6 22_2_00180EC6
Source: C:\Windows\System32\svchost.exe Code function: 23_2_0067186B 23_2_0067186B
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00670EC6 23_2_00670EC6
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Code function: 24_2_009C0EC6 24_2_009C0EC6
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Code function: 24_2_009C186B 24_2_009C186B
Source: C:\Windows\System32\conhost.exe Code function: 25_2_00F70EC6 25_2_00F70EC6
Source: C:\Windows\System32\conhost.exe Code function: 25_2_00F7186B 25_2_00F7186B
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 27_2_00D50EC6 27_2_00D50EC6
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 27_2_00D5186B 27_2_00D5186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 29_2_011A186B 29_2_011A186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 29_2_011A0EC6 29_2_011A0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C186B 30_2_001C186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C0EC6 30_2_001C0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_0214186B 30_2_0214186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02140EC6 30_2_02140EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 31_2_0234186B 31_2_0234186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 31_2_02340EC6 31_2_02340EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 32_2_00D60EC6 32_2_00D60EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 32_2_00D6186B 32_2_00D6186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 33_2_00E10EC6 33_2_00E10EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 33_2_00E1186B 33_2_00E1186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_001D186B 34_2_001D186B
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_001D0EC6 34_2_001D0EC6
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_008B0005 34_2_008B0005
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_008B0EEA 34_2_008B0EEA
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 35_2_0214186B 35_2_0214186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 35_2_02140EC6 35_2_02140EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 36_2_0073186B 36_2_0073186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 36_2_00730EC6 36_2_00730EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 37_2_00B10EC6 37_2_00B10EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 37_2_00B1186B 37_2_00B1186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 38_2_0268186B 38_2_0268186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 38_2_02680EC6 38_2_02680EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 39_2_0255186B 39_2_0255186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 39_2_02550EC6 39_2_02550EC6
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 40_2_0213186B 40_2_0213186B
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 40_2_02130EC6 40_2_02130EC6
Found potential string decryption / allocating functions
Source: C:\Windows\System32\conhost.exe Code function: String function: 00F7375B appears 34 times
Source: C:\Windows\SysWOW64\winver.exe Code function: String function: 00D4375B appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: String function: 001C375B appears 68 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: String function: 001D375B appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: String function: 001C38A7 appears 40 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: String function: 008B377F appears 34 times
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: String function: 0214375B appears 34 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 0019375B appears 34 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 00F0375B appears 34 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 0084375B appears 34 times
Source: C:\Windows\System32\svchost.exe Code function: String function: 0067375B appears 34 times
Source: C:\Windows\System32\ctfmon.exe Code function: String function: 009E375B appears 34 times
Source: C:\Windows\explorer.exe Code function: String function: 00F8375B appears 34 times
Source: C:\Windows\explorer.exe Code function: String function: 02DF375B appears 34 times
Source: C:\Windows\System32\ApplicationFrameHost.exe Code function: String function: 0093375B appears 34 times
Source: C:\Windows\System32\smartscreen.exe Code function: String function: 0025375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0213375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 00B1375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 011A375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0073375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0268375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0214375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0234375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 00E1375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 0255375B appears 34 times
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: String function: 00D6375B appears 34 times
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: String function: 00EE375B appears 34 times
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: String function: 006D377F appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe Code function: String function: 0053375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe Code function: String function: 00D5375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe Code function: String function: 0018375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe Code function: String function: 0082375B appears 34 times
Source: C:\Windows\System32\RuntimeBroker.exe Code function: String function: 00A4375B appears 34 times
Source: C:\Windows\System32\sihost.exe Code function: String function: 00D0375B appears 34 times
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Code function: String function: 009C375B appears 34 times
Source: C:\Windows\System32\dllhost.exe Code function: String function: 005F375B appears 34 times
Uses 32bit PE files
Source: Uredospore8.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: classification engine Classification label: mal100.bank.evad.winEXE@13/15@2/2
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0005 ExitProcess,GetProcAddress,GetModuleHandleW,ReadFile,WriteFile,SetFilePointer,CloseHandle,CreateToolhelp32Snapshot,Process32Next,OpenProcess,VirtualFree,VirtualAllocEx,CreateMutexA,CreateMutexA,lstrcat,lstrcmpiA,Sleep,CreateDirectoryA,SetFileAttributesA,CreateDirectoryA,SetFileAttributesA,CreateDirectoryA,SetFileAttributesA,VirtualAlloc,VirtualFree,Sleep, 2_2_006D0005
Source: C:\Windows\SysWOW64\winver.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\E6B93DA9 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Mutant created: \Sessions\1\BaseNamedObjects\E6B93DA9
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Mutant created: NULL
Source: Uredospore8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File read: C:\Users\user\Searches\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Uredospore8.exe ReversingLabs: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Windows\SysWOW64\winver.exe winver
Source: C:\Windows\SysWOW64\winver.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe"
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe" Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Windows\SysWOW64\winver.exe winver Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\RuntimeBroker.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Section loaded: nss3.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TbOpfOXygan.exe, 00000024.00000002.3341937192.000000000018E000.00000002.00000001.01000000.00000008.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Uredospore8.exe Unpacked PE file: 2.2.Uredospore8.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .flat:ER;
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Unpacked PE file: 34.2.bin.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .flat:ER;
PE file contains an invalid checksum
Source: bin.exe.3.dr Static PE information: real checksum: 0x200e6 should be: 0x1b198
Source: Uredospore8.exe Static PE information: real checksum: 0x200e6 should be: 0x18bbe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_0040405C push AE79C959h; retf 0_2_00404068
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00407422 push es; iretd 0_2_00407437
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004016E2 push AE79C959h; retf 0_2_004016EE
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00403F5C push AE79C959h; retf 0_2_00403F68
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00405FD0 push ss; iretd 0_2_00405FD1
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004015E2 push AE79C959h; retf 0_2_004015EE
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004039A5 push AE79C959h; retf 0_2_004040EF
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_0070243E push AE79C959h; retf 0_2_0070244A
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_0070233E push AE79C959h; retf 0_2_0070234A
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0C5B push edi; ret 2_2_006D0C97
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0BCA push edi; ret 2_2_006D0C97
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D40BA6 push edi; ret 3_2_00D40C73
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D40C37 push edi; ret 3_2_00D40C73
Source: C:\Windows\explorer.exe Code function: 4_2_00F80C37 push edi; ret 4_2_00F80C73
Source: C:\Windows\explorer.exe Code function: 4_2_00F80BA6 push edi; ret 4_2_00F80C73
Source: C:\Windows\explorer.exe Code function: 4_2_02DF0C37 push edi; ret 4_2_02DF0C73
Source: C:\Windows\explorer.exe Code function: 4_2_02DF0BA6 push edi; ret 4_2_02DF0C73
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D00C37 push edi; ret 5_2_00D00C73
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D00BA6 push edi; ret 5_2_00D00C73
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F00C37 push edi; ret 6_2_00F00C73
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F00BA6 push edi; ret 6_2_00F00C73
Source: C:\Windows\System32\svchost.exe Code function: 7_2_00190C37 push edi; ret 7_2_00190C73
Source: C:\Windows\System32\svchost.exe Code function: 7_2_00190BA6 push edi; ret 7_2_00190C73
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E0C37 push edi; ret 8_2_009E0C73
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E0BA6 push edi; ret 8_2_009E0C73
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00840C37 push edi; ret 9_2_00840C73
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00840BA6 push edi; ret 9_2_00840C73
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE0C37 push edi; ret 10_2_00EE0C73
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE0BA6 push edi; ret 10_2_00EE0C73
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A40C37 push edi; ret 11_2_00A40C73
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A40BA6 push edi; ret 11_2_00A40C73
Source: Uredospore8.exe Static PE information: section name: .text entropy: 6.821035285186627
Source: bin.exe.3.dr Static PE information: section name: .text entropy: 6.821035285186627
Drops PE files
Source: C:\Windows\SysWOW64\winver.exe File created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Windows\SysWOW64\winver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9 Jump to behavior
Monitors registry run keys for changes
Source: C:\Windows\System32\ctfmon.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E6B93DA9 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwResumeThread new code: 0xE9 0x9E 0xE1 0x12 0x25 0x51
Source: C:\Users\user\Desktop\Uredospore8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\System32\dllhost.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\System32\svchost.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\Uredospore8.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\System32\conhost.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\System32\RuntimeBroker.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Windows\explorer.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\winver.exe API/Special instruction interceptor: Address: 7FFDB442E814
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\winver.exe RDTSC instruction interceptor: First address: D430A9 second address: D430D2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 stosd 0x00000005 mov eax, dword ptr [ebx+004043BDh] 0x0000000b stosd 0x0000000c mov eax, dword ptr [ebx+004043C1h] 0x00000012 stosd 0x00000013 mov eax, dword ptr [ebx+004069C0h] 0x00000019 stosd 0x0000001a mov eax, dword ptr [ebx+004069C4h] 0x00000020 stosd 0x00000021 lea eax, dword ptr [ebp-00000700h] 0x00000027 sub edi, eax 0x00000029 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0849 rdtsc 2_2_006D0849
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 786 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 757 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Uredospore8.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Uredospore8.exe API coverage: 9.6 %
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe API coverage: 4.9 %
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\dllhost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\winver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\winver.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\ctfmon.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe Last function: Thread delayed
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe Last function: Thread delayed
Source: C:\Windows\System32\smartscreen.exe Last function: Thread delayed
Source: C:\Windows\System32\ApplicationFrameHost.exe Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\RuntimeBroker.exe Last function: Thread delayed
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Last function: Thread delayed
Source: explorer.exe, 00000004.00000000.2195839667.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000962B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: com.squirrel.FACEITApp.FACEITcom.squirrel.Postman.PostmanVMware.Workstation.vmui
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.3431957145.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2195839667.000000000978C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3401335035.000001F69890B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.2222969318.000001F69890B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80982000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: explorer.exe, 00000004.00000000.2194228969.00000000073E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: winver.exe, 00000003.00000002.3345685766.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware.View.Client
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: SearchApp.exe, 0000000D.00000003.2356316437.0000027A963CC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: qemu10642
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware workstation 12 playerta cityy
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware workstation 15 player12watchtower translation systemtsz
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vm ware8394
Source: SearchApp.exe, 0000000D.00000000.2284398647.0000027A7E2F2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 5470*|hourly analysis program 4.50*|hap1*|hourly analysis program 4.80*|hap1*|hourly analysis program 4.90*|hap375*|hourly analysis program 4.91*|hap1*|hourly analysis program 5.01*|hap1*|hourly analysis program 5.10*|hap1*|hourly analysis program 5.11*|hap114*|hp scan*|scanner6717*|hp scan*|hpscan6355*|hp scan and capture*|hpscan6530*|hp smart*|hp printer5188*|hp smart*|hpsmart6013*|hp smart*|hp sca9057*|hp support assistant*|hp ass4184*|hp support assistant*|hps5179*|hp unified functional testing*|uft1*|hpe content manager*|trim1743*|hpe records manager*|trim1399*|hpe unified functional testing*|uft1*|huawei operation & maintenance system*|lmt1*|hulu*|huliu7717*|hulu*|hullu8132*|hulu*|huluu8464*|hulu*|huku5970*|hulu*|hule8326*|hulu*|julu8142*|hulu*|hlu6552*|hulu*|huu6329*|hwmonitor*|cpui5297*|hy-8 7.50*|hy81652*|hyper-v manager*|hyper v4919*|hyper-v manager*|virtual5441*|hyper-v manager*|hyperv4178*|hyper-v manager*|vm4595*|hyperspace*|epic708*|i.r.i.s. ocr registration*|iris1117*|ibm integration toolkit 10.0.0.10*|iib1*|ibm integration toolkit 10.0.0.11*|iib1*|ibm integration toolkit 10.0.0.12*|iib1*|ibm integration toolkit 10.0.0.13*|iib1*|ibm integration toolkit 10.0.0.15*|iib1*|ibm integration toolkit 10.0.0.7*|iib403*|ibm notes*|lotus2695*|ibm notes (basic)*|lotus3079*|ic business manager*|icb1577*|icloud*|i cloud5863*|icloud*|icould6247*|icloud*|iclu6932*|icloud photos*|pictures4048*|icloud photos*|i cloud5074*|icloud photos*|iphoto5036*|idle (python 3.7 32-bit)*|idel6028*|idle (python 3.7 64-bit)*|idel5996*|idle (python gui)*|python idle5336*|iheartradio*|i heart4638*|image composite editor*|ice852*|import passwords*|lastpass1242*|income tax planner*|bna1*|income tax planner workstation*|bna1*|inform*|ddi600*|information assistant*|ia1*|instagram*|instagra,10481*|instagram*|instagrm10522*|instagram*|instgram9142*|instagram*|instra10065*|instagram*|insat9464*|instagram*|insra10498*|instagram*|insts10256*|instagram*|isnta8095*|instagram*|inss10150*|instagram*|insy10074*|instagram*|ista9884*|instrument de decupare*|snipp3115*|intapp time*|dte2830*|integrated architecture builder*|iab1*|integrated dealer systems - g2*|ids1249*|integrated operations system*|ios1*|intel(r) extreme tuning utility*|xtu1972*|intellij idea community edition 2019.1.3*|inteli4762*|interaction administrator*|ia2559*|interactive ruby*|irb416*|interactive sql*|dbisql959*|internet download accelerator*|ida842*|internet download manager*|idman7834*|internet download manager*|idmm8541*|internet download manager*|intr7920*|internet download manager*|don8066*|internet download manager*|id,7596*|internet download manager*|idn6970*|internet download manager*|imd6996*|internet download manager*|ine9116*|internet download manager*|
Source: SearchApp.exe, 0000000D.00000000.2288256816.0000027A7E80D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe{6D809377-6AF0-444B-8957-A3773F02200E}\JetBrains\PhpStorm 2018.1.6\bin\phpstorm64.exe963
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 12 player*|vmpl5459
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|*|vmware6886
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|hyper-v manager*|vm4595
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware.Horizon.Client
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vmare7220
Source: RuntimeBroker.exe, 0000000B.00000002.3354827834.000002C8A4C58000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware horizon client
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 15 player*|vmplayer6438
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vlc media playere - insiderssrecord audio:wux:record audiovmware vsphere client
Source: svchost.exe, 00000006.00000002.3362446755.000001A798065000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: (@os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2289266754.0000027A7E922000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|*|qemu10642
Source: SearchApp.exe, 0000000D.00000000.2306449484.0000027A80991000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2307269362.0000027A80A37000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2265953547.000002727CFAF000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2297626222.0000027A7EC2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: SearchApp.exe, 0000000D.00000003.2356316437.0000027A963CC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: /qemu10642
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware workstation 12 player
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|hyper-v manager*|hyperv4178
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware.Workstation.vmui
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|hyper-v manager*|virtual5441
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware workstation 15 player
Source: svchost.exe, 00000006.00000000.2219421842.000001A798088000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2263340509.00000272779A5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SearchApp.exe, 0000000D.00000000.2288200071.0000027A7E800000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware.Workstation.vmplayer
Source: explorer.exe, 00000004.00000000.2196219993.00000000097F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000000.2195839667.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3431957145.000000000973C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWws
Source: svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;n
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vspe6388
Source: SearchApp.exe, 0000000D.00000003.2299386010.0000027A980E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmware vsphere client
Source: SearchApp.exe, 0000000D.00000000.2274880792.0000027A7D535000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000000.2273444241.000002727D3A2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: del:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
Source: SearchApp.exe, 0000000D.00000000.2288256816.0000027A7E80D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vdi3894
Source: SearchApp.exe, 0000000D.00000003.2299223713.0000027A98002000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281551134.0000027A963DB000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281318447.0000027A96702000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|hyper-v manager*|hyper v4919
Source: explorer.exe, 00000004.00000000.2195839667.0000000009605000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|view5503
Source: svchost.exe, 00000006.00000002.3363861560.000001A798088000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: SearchApp.exe, 0000000D.00000003.2281394297.0000027A98002000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vcenter5038
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\Uredospore8.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\winver.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0849 rdtsc 2_2_006D0849
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004030C1 mov eax, dword ptr fs:[00000030h] 0_2_004030C1
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_004030CD mov eax, dword ptr fs:[00000030h] 0_2_004030CD
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_007002AE mov eax, dword ptr fs:[00000030h] 0_2_007002AE
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 0_2_00700D34 mov eax, dword ptr fs:[00000030h] 0_2_00700D34
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_00401000 mov eax, dword ptr fs:[00000030h] 2_2_00401000
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D4071 mov edi, dword ptr fs:[00000030h] 2_2_006D4071
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0CA4 mov eax, dword ptr fs:[00000030h] 2_2_006D0CA4
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D40C80 mov eax, dword ptr fs:[00000030h] 3_2_00D40C80
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D4404D mov edi, dword ptr fs:[00000030h] 3_2_00D4404D
Source: C:\Windows\explorer.exe Code function: 4_2_00F80C80 mov eax, dword ptr fs:[00000030h] 4_2_00F80C80
Source: C:\Windows\explorer.exe Code function: 4_2_00F8404D mov edi, dword ptr fs:[00000030h] 4_2_00F8404D
Source: C:\Windows\explorer.exe Code function: 4_2_02DF0C80 mov eax, dword ptr fs:[00000030h] 4_2_02DF0C80
Source: C:\Windows\explorer.exe Code function: 4_2_02DF404D mov edi, dword ptr fs:[00000030h] 4_2_02DF404D
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D00C80 mov eax, dword ptr fs:[00000030h] 5_2_00D00C80
Source: C:\Windows\System32\sihost.exe Code function: 5_2_00D0404D mov edi, dword ptr fs:[00000030h] 5_2_00D0404D
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F00C80 mov eax, dword ptr fs:[00000030h] 6_2_00F00C80
Source: C:\Windows\System32\svchost.exe Code function: 6_2_00F0404D mov edi, dword ptr fs:[00000030h] 6_2_00F0404D
Source: C:\Windows\System32\svchost.exe Code function: 7_2_0019404D mov edi, dword ptr fs:[00000030h] 7_2_0019404D
Source: C:\Windows\System32\svchost.exe Code function: 7_2_00190C80 mov eax, dword ptr fs:[00000030h] 7_2_00190C80
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E0C80 mov eax, dword ptr fs:[00000030h] 8_2_009E0C80
Source: C:\Windows\System32\ctfmon.exe Code function: 8_2_009E404D mov edi, dword ptr fs:[00000030h] 8_2_009E404D
Source: C:\Windows\System32\svchost.exe Code function: 9_2_00840C80 mov eax, dword ptr fs:[00000030h] 9_2_00840C80
Source: C:\Windows\System32\svchost.exe Code function: 9_2_0084404D mov edi, dword ptr fs:[00000030h] 9_2_0084404D
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE0C80 mov eax, dword ptr fs:[00000030h] 10_2_00EE0C80
Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe Code function: 10_2_00EE404D mov edi, dword ptr fs:[00000030h] 10_2_00EE404D
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A40C80 mov eax, dword ptr fs:[00000030h] 11_2_00A40C80
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 11_2_00A4404D mov edi, dword ptr fs:[00000030h] 11_2_00A4404D
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_005F404D mov edi, dword ptr fs:[00000030h] 15_2_005F404D
Source: C:\Windows\System32\dllhost.exe Code function: 15_2_005F0C80 mov eax, dword ptr fs:[00000030h] 15_2_005F0C80
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 16_2_0053404D mov edi, dword ptr fs:[00000030h] 16_2_0053404D
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 16_2_00530C80 mov eax, dword ptr fs:[00000030h] 16_2_00530C80
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 17_2_00820C80 mov eax, dword ptr fs:[00000030h] 17_2_00820C80
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 17_2_0082404D mov edi, dword ptr fs:[00000030h] 17_2_0082404D
Source: C:\Windows\System32\smartscreen.exe Code function: 18_2_0025404D mov edi, dword ptr fs:[00000030h] 18_2_0025404D
Source: C:\Windows\System32\smartscreen.exe Code function: 18_2_00250C80 mov eax, dword ptr fs:[00000030h] 18_2_00250C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C404D mov edi, dword ptr fs:[00000030h] 19_2_001C404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C0C80 mov eax, dword ptr fs:[00000030h] 19_2_001C0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_022502AE mov eax, dword ptr fs:[00000030h] 19_2_022502AE
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_02250D34 mov eax, dword ptr fs:[00000030h] 19_2_02250D34
Source: C:\Windows\System32\ApplicationFrameHost.exe Code function: 20_2_00930C80 mov eax, dword ptr fs:[00000030h] 20_2_00930C80
Source: C:\Windows\System32\ApplicationFrameHost.exe Code function: 20_2_0093404D mov edi, dword ptr fs:[00000030h] 20_2_0093404D
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 22_2_0018404D mov edi, dword ptr fs:[00000030h] 22_2_0018404D
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 22_2_00180C80 mov eax, dword ptr fs:[00000030h] 22_2_00180C80
Source: C:\Windows\System32\svchost.exe Code function: 23_2_0067404D mov edi, dword ptr fs:[00000030h] 23_2_0067404D
Source: C:\Windows\System32\svchost.exe Code function: 23_2_00670C80 mov eax, dword ptr fs:[00000030h] 23_2_00670C80
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Code function: 24_2_009C0C80 mov eax, dword ptr fs:[00000030h] 24_2_009C0C80
Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe Code function: 24_2_009C404D mov edi, dword ptr fs:[00000030h] 24_2_009C404D
Source: C:\Windows\System32\conhost.exe Code function: 25_2_00F70C80 mov eax, dword ptr fs:[00000030h] 25_2_00F70C80
Source: C:\Windows\System32\conhost.exe Code function: 25_2_00F7404D mov edi, dword ptr fs:[00000030h] 25_2_00F7404D
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 27_2_00D50C80 mov eax, dword ptr fs:[00000030h] 27_2_00D50C80
Source: C:\Windows\System32\RuntimeBroker.exe Code function: 27_2_00D5404D mov edi, dword ptr fs:[00000030h] 27_2_00D5404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 29_2_011A404D mov edi, dword ptr fs:[00000030h] 29_2_011A404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 29_2_011A0C80 mov eax, dword ptr fs:[00000030h] 29_2_011A0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C404D mov edi, dword ptr fs:[00000030h] 30_2_001C404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C0C80 mov eax, dword ptr fs:[00000030h] 30_2_001C0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_0214404D mov edi, dword ptr fs:[00000030h] 30_2_0214404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02140C80 mov eax, dword ptr fs:[00000030h] 30_2_02140C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_021502AE mov eax, dword ptr fs:[00000030h] 30_2_021502AE
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02150D34 mov eax, dword ptr fs:[00000030h] 30_2_02150D34
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 31_2_0234404D mov edi, dword ptr fs:[00000030h] 31_2_0234404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 31_2_02340C80 mov eax, dword ptr fs:[00000030h] 31_2_02340C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 32_2_00D60C80 mov eax, dword ptr fs:[00000030h] 32_2_00D60C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 32_2_00D6404D mov edi, dword ptr fs:[00000030h] 32_2_00D6404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 33_2_00E10C80 mov eax, dword ptr fs:[00000030h] 33_2_00E10C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 33_2_00E1404D mov edi, dword ptr fs:[00000030h] 33_2_00E1404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_001D404D mov edi, dword ptr fs:[00000030h] 34_2_001D404D
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_001D0C80 mov eax, dword ptr fs:[00000030h] 34_2_001D0C80
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_008B0CA4 mov eax, dword ptr fs:[00000030h] 34_2_008B0CA4
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_008B4071 mov edi, dword ptr fs:[00000030h] 34_2_008B4071
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 35_2_0214404D mov edi, dword ptr fs:[00000030h] 35_2_0214404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 35_2_02140C80 mov eax, dword ptr fs:[00000030h] 35_2_02140C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 36_2_0073404D mov edi, dword ptr fs:[00000030h] 36_2_0073404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 36_2_00730C80 mov eax, dword ptr fs:[00000030h] 36_2_00730C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 37_2_00B10C80 mov eax, dword ptr fs:[00000030h] 37_2_00B10C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 37_2_00B1404D mov edi, dword ptr fs:[00000030h] 37_2_00B1404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 38_2_0268404D mov edi, dword ptr fs:[00000030h] 38_2_0268404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 38_2_02680C80 mov eax, dword ptr fs:[00000030h] 38_2_02680C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 39_2_0255404D mov edi, dword ptr fs:[00000030h] 39_2_0255404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 39_2_02550C80 mov eax, dword ptr fs:[00000030h] 39_2_02550C80
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 40_2_0213404D mov edi, dword ptr fs:[00000030h] 40_2_0213404D
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe Code function: 40_2_02130C80 mov eax, dword ptr fs:[00000030h] 40_2_02130C80

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\explorer.exe base: F80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\sihost.exe base: D00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\svchost.exe base: F00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\svchost.exe base: 190000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\ctfmon.exe base: 9E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\explorer.exe base: 2DF0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\svchost.exe base: 840000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: EE0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: A40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: BB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 530000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 820000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\smartscreen.exe base: 250000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 930000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 980000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 180000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\svchost.exe base: 670000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 9C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\conhost.exe base: F70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\backgroundTaskHost.exe base: 710000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: D50000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2340000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E10000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2140000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 730000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B10000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2680000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2550000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2130000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2BA0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B20000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2ED0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2120000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 28D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2930000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 25B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D10000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2920000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2480000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2180000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 14D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 26B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1380000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2840000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2F10000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2210000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: C10000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: F90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 620000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 860000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1270000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: BD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 5F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 920000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 980000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2000000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: A20000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 13E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1450000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: CB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1320000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: DB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2500000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2100000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 12E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1480000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1420000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: ED0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 29A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2C30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E20000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 6A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 810000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2980000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1360000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 750000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 590000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 9D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 5F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory allocated: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 2140000 protect: page execute and read and write Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\Uredospore8.exe Code function: 2_2_006D0E45 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 2_2_006D0E45
Source: C:\Windows\SysWOW64\winver.exe Code function: 3_2_00D40E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 3_2_00D40E21
Source: C:\Windows\explorer.exe Code function: 4_2_00F81FD7 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 4_2_00F81FD7
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 19_2_001C0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 19_2_001C0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_001C0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 30_2_001C0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 30_2_02140E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 30_2_02140E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_001D0E21 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 34_2_001D0E21
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Code function: 34_2_008B0E45 VirtualAllocEx,WriteProcessMemory,IsWow64Process,CreateRemoteThread, 34_2_008B0E45
Creates a thread in another existing process (thread injection)
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\explorer.exe EIP: F808E2 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\sihost.exe EIP: D0094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\svchost.exe EIP: F0094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\svchost.exe EIP: 19094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\ctfmon.exe EIP: 9E094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\explorer.exe EIP: 2DF094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\svchost.exe EIP: 84094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe EIP: EE094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: A4094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe EIP: BB094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 53094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 82094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\smartscreen.exe EIP: 25094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\ApplicationFrameHost.exe EIP: 93094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe EIP: 98094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 18094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe EIP: 9C094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\conhost.exe EIP: F7094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\backgroundTaskHost.exe EIP: 71094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: D5094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 11A094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 234094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: D6094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: E1094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 214094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 73094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: B1094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 268094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 255094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe EIP: 213094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2BA094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2B2094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 11D094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: B8094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 137094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2ED094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 212094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 28D094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 22B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 293094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 25B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2D1094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 292094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 248094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 218094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2D6094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 14D094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 26B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 138094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 284094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: B3094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 69094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 23B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2F1094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 22B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 221094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: C1094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: F9094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 62094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 86094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 7A094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 127094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 69094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: BD094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 5F094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 92094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 10C094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 98094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 200094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: A2094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 10F094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 13E094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 145094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: E9094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: CB094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: B6094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2B9094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 132094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: DB094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 7F094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 250094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 210094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 12E094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 148094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: E6094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 142094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: E9094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: ED094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 29A094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2C3094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 2B8094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: D3094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 11E094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: E2094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 6A094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 137094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 23B094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 81094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 298094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 136094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 75094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: B8094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 59094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: unknown EIP: 9D094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Windows\System32\dllhost.exe EIP: 5F094C Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 214094C Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 1C094C Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe EIP: 1C094C Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Thread created: unknown EIP: 76228920 Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Thread created: unknown EIP: 1D094C Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtOpenSection: Direct from: 0x2143F49 Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtTerminateThread: Direct from: 0x77382FCC Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtQueryValueKey: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtDelayExecution: Direct from: 0x2144046 Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtDelayExecution: Direct from: 0x2144036 Jump to behavior
Source: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe NtDelayExecution: Direct from: 0x2144026 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\winver.exe Memory written: PID: 4004 base: F80000 value: 50 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: PID: 4004 base: 2DF0000 value: 50 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Uredospore8.exe Memory written: C:\Windows\SysWOW64\winver.exe base: FF18B0 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\explorer.exe base: F80000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\sihost.exe base: D00000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\svchost.exe base: F00000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\svchost.exe base: 190000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\ctfmon.exe base: 9E0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\explorer.exe base: 2DF0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\svchost.exe base: 840000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: EE0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: A40000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: BB0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 530000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 820000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\smartscreen.exe base: 250000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 930000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 980000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\svchost.exe base: 670000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 9C0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\conhost.exe base: F70000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\backgroundTaskHost.exe base: 710000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: D50000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11A0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2340000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D60000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E10000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2140000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 730000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B10000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2680000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2550000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2130000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2BA0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B20000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11D0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2ED0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2120000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 28D0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2930000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 25B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D10000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2920000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2480000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2180000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2D60000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 14D0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 26B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1380000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2840000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B30000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2F10000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 22B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2210000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: C10000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: F90000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 620000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 860000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7A0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1270000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 690000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: BD0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 5F0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 920000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10C0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 980000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2000000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: A20000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 10F0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 13E0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1450000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: CB0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B60000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B90000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1320000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: DB0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 7F0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2500000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2100000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 12E0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1480000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E60000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1420000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E90000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: ED0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 29A0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2C30000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2B80000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: D30000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 11E0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: E20000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 6A0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1370000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 23B0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 810000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 2980000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 1360000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 750000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: B80000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 590000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Program Files (x86)\piZjuUwknKzQTPjZNyoprYIvPKBgQzSfYLoVrxjkQiliRJUKSbTKtfmOoVFdNq\TbOpfOXygan.exe base: 9D0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Windows\System32\dllhost.exe base: 5F0000 Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 2140000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 1C0000 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe base: 1C0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Users\user\Desktop\Uredospore8.exe "C:\Users\user\Desktop\Uredospore8.exe" Jump to behavior
Source: C:\Users\user\Desktop\Uredospore8.exe Process created: C:\Windows\SysWOW64\winver.exe winver Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process created: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe "C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Process created: unknown unknown Jump to behavior
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2194095055.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3399015831.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: ctfmon.exe, 00000008.00000002.3359267400.00000128DBAF7000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000008.00000000.2226537305.00000128DBAF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd&
Source: winver.exe, 00000003.00000002.3338776042.0000000000ABC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: "vShell_TrayWndr[
Source: explorer.exe, 00000004.00000000.2192850877.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3342158192.0000000000D69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +Progman
Source: explorer.exe, 00000004.00000002.3360217865.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2193119293.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000005.00000002.3369167482.000001D63C371000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.3431957145.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979250085.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2196219993.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd31A
Source: winver.exe, 00000003.00000002.3338776042.0000000000ABC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: "vShell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Uredospore8.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133694340288381827.txt VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\E6B93DA9\bin.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501381 Sample: Uredospore8.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 43 lkebgoxdejyq.com 2->43 45 www.google.com 2->45 47 2 other IPs or domains 2->47 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 9 other signatures 2->67 11 Uredospore8.exe 2->11         started        signatures3 process4 signatures5 89 Detected unpacking (changes PE section rights) 11->89 91 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->91 93 Contains functionality to inject threads in other processes 11->93 14 Uredospore8.exe 11->14         started        process6 signatures7 95 Writes to foreign memory regions 14->95 17 winver.exe 1 4 14->17         started        process8 dnsIp9 41 lkebgoxdejyq.com 216.218.185.162, 49711, 80 HURRICANEUS United States 17->41 39 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 17->39 dropped 69 Creates autostart registry keys with suspicious names 17->69 71 Contains functionality to inject threads in other processes 17->71 73 Injects code into the Windows Explorer (explorer.exe) 17->73 75 5 other signatures 17->75 22 explorer.exe 32 2 17->22 injected 25 ctfmon.exe 17->25 injected 27 dllhost.exe 7 17->27         started        29 28 other processes 17->29 file10 signatures11 process12 dnsIp13 77 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->77 79 Contains functionality to inject threads in other processes 22->79 81 Writes to foreign memory regions 22->81 83 Creates a thread in another existing process (thread injection) 22->83 32 bin.exe 22->32         started        35 bin.exe 22->35         started        85 Monitors registry run keys for changes 25->85 49 173.222.162.64, 443, 49704, 49715 AKAMAI-ASUS United States 29->49 87 Found direct / indirect Syscall (likely to bypass EDR) 29->87 signatures14 process15 signatures16 51 Antivirus detection for dropped file 32->51 53 Detected unpacking (changes PE section rights) 32->53 55 Machine Learning detection for dropped file 32->55 59 2 other signatures 32->59 37 bin.exe 32->37         started        57 Creates a thread in another existing process (thread injection) 35->57 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.218.185.162
 lkebgoxdejyq.com United States
6939 HURRICANEUS true
173.222.162.64
 unknown United States
35994 AKAMAI-ASUS false

Contacted Domains

Name IP Active
lkebgoxdejyq.com 216.218.185.162 true
www.google.com 142.250.186.68 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://lkebgoxdejyq.com/preview/ true
  • Avira URL Cloud: malware
 unknown