Windows Analysis Report 4ra1Fo2Zql.exe

Source: 4ra1Fo2Zql.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe			Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\b4601131bf8590			Jump to behavior

Source: 4ra1Fo2Zql.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

Spreading

Suricata IDS alerts for network traffic

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49717 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49715 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49713 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49719 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49720 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49712 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49722 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49721 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49716 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49718 -> 80.211.144.156:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.211.144.156 80.211.144.156

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 621287cm.n9shteam2.top

Source: unknown

HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top/
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Creates files inside the system directory

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP

Detected potential crypto function

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E60D48	0_2_00007FF848E60D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E60E43	0_2_00007FF848E60E43
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E80D48	10_2_00007FF848E80D48
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E80E43	10_2_00007FF848E80E43
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E91635	11_2_00007FF848E91635
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E712B2	11_2_00007FF848E712B2
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E60D48	11_2_00007FF848E60D48
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E60E43	11_2_00007FF848E60E43
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E50D48	28_2_00007FF848E50D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E50E43	28_2_00007FF848E50E43
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E90D48	31_2_00007FF848E90D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E90E43	31_2_00007FF848E90E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E612B2	32_2_00007FF848E612B2
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E81601	32_2_00007FF848E81601
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E50D48	32_2_00007FF848E50D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E50E43	32_2_00007FF848E50E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E80D48	34_2_00007FF848E80D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E80E43	34_2_00007FF848E80E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848EB1635	34_2_00007FF848EB1635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E914BB	34_2_00007FF848E914BB
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EC1635	35_2_00007FF848EC1635
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EC1601	35_2_00007FF848EC1601
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EA12B2	35_2_00007FF848EA12B2
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848E90D48	35_2_00007FF848E90D48
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848E90E43	35_2_00007FF848E90E43
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E912B2	37_2_00007FF848E912B2
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E80D48	37_2_00007FF848E80D48
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E80E43	37_2_00007FF848E80E43
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848EB1635	37_2_00007FF848EB1635
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E60D48	38_2_00007FF848E60D48
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E60E43	38_2_00007FF848E60E43
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E712B2	38_2_00007FF848E712B2
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E91635	38_2_00007FF848E91635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E80D48	39_2_00007FF848E80D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E80E43	39_2_00007FF848E80E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848EB1635	39_2_00007FF848EB1635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E914BB	39_2_00007FF848E914BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E91635	45_2_00007FF848E91635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E714BB	45_2_00007FF848E714BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E60D48	45_2_00007FF848E60D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E60E43	45_2_00007FF848E60E43

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CAgBdTQY.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Sample file is different than original file name gathered from version info

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2085769625.000000001B7E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2080353775.000000001B7B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001C.00000002.2230154294.0000000002610000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.000000000325A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.0000000003190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe

Source: 4ra1Fo2Zql.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4ra1Fo2Zql.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GrVEPTmsoNTbY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GrVEPTmsoNTbY.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2058962549.00000000006FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@54/48@1/1

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\Desktop\xxMkqOtN.log

Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-ln07BHafEPq82yTj5rEF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\AppData\Local\Temp\q4lxag2s

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"

Source: 4ra1Fo2Zql.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4ra1Fo2Zql.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 4ra1Fo2Zql.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File read: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
Source: unknown	Process created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql" /sc ONLOGON /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: unknown	Process created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
Source: unknown	Process created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains method to dynamically call methods (often used by packers)

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe			Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\b4601131bf8590			Jump to behavior

Source: 4ra1Fo2Zql.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4ra1Fo2Zql.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 4ra1Fo2Zql.exe

Static file information: File size 1959424 > 1048576

Source: 4ra1Fo2Zql.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dde00

Source: 4ra1Fo2Zql.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs

.Net Code: Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777245)),Type.GetTypeFromHandle(jBVrEh6dwsCwn1TMD7p.njIvGwSeUaf(16777259))})

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E64B91 push eax; retf	0_2_00007FF848E64B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E64790 push esp; iretd	0_2_00007FF848E64793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E600BD pushad ; iretd	0_2_00007FF848E600C1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E61C9F push FFFFFFBEh; ret	0_2_00007FF848E61CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848FC25D4 push esi; ret	0_2_00007FF848FC25DF
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF84925D1FC push edi; ret	0_2_00007FF84925D1FE
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E84B91 push eax; retf	10_2_00007FF848E84B97
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E84790 push esp; iretd	10_2_00007FF848E84793
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E81C9F push FFFFFFBEh; ret	10_2_00007FF848E81CA1
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848FE25D4 push esi; ret	10_2_00007FF848FE25DF
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E960B8 push edx; retf	11_2_00007FF848E960BB
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E95CBA push eax; iretd	11_2_00007FF848E95CBD
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E798E0 push 8B48FFFFh; iretd	11_2_00007FF848E798E5
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E78426 push ds; iretd	11_2_00007FF848E78427
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E64B91 push eax; retf	11_2_00007FF848E64B97
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E64790 push esp; iretd	11_2_00007FF848E64793
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E600BD pushad ; iretd	11_2_00007FF848E600C1
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E61C9F push FFFFFFBEh; ret	11_2_00007FF848E61CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E54790 push esp; iretd	28_2_00007FF848E54793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E54B91 push eax; retf	28_2_00007FF848E54B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E51C9F push FFFFFFBEh; ret	28_2_00007FF848E51CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E94790 push esp; iretd	31_2_00007FF848E94793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E94B91 push eax; retf	31_2_00007FF848E94B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E91C9F push FFFFFFBEh; ret	31_2_00007FF848E91CA1
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E698E0 push 8B48FFFFh; iretd	32_2_00007FF848E698E5
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E68426 push ds; iretd	32_2_00007FF848E68427
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E85CBA push eax; iretd	32_2_00007FF848E85CBD
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E860B8 push edx; retf	32_2_00007FF848E860BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E54790 push esp; iretd	32_2_00007FF848E54793
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E54B91 push eax; retf	32_2_00007FF848E54B97
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E51C9F push FFFFFFBEh; ret	32_2_00007FF848E51CA1

Source: 4ra1Fo2Zql.exe	Static PE information: section name: .text entropy: 7.554685403500024
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: GrVEPTmsoNTbY.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: csrss.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: GrVEPTmsoNTbY.exe0.0.dr	Static PE information: section name: .text entropy: 7.554685403500024

Source: 4ra1Fo2Zql.exe, ex6u5CrEHFnwWAeLDl.cs	High entropy of concatenated method names: 'jTUlnAwZw', 'vXV3I3cPfubGLex0LY9I', 'eqxB2ocPF0UNM9kR7vnk', 'yZ0emHcPp5YI9Gjy8Cqt', 'MMsXbKcPlHvsuQ08rfgU', 'yXw4QDWG9', 'dRQ0U2hbn', 'opPUY6f0S', 'bLOIhOZHt', 'bAXoiLxSA'
Source: 4ra1Fo2Zql.exe, D1FlRoDqcSARSOZbnHB.cs	High entropy of concatenated method names: 'LH0DNpi0OT', 'wpl8fdcRadw4COXsxnuK', 'wcqgGHcR4E5UMJVgGupE', 'SvIBEVcR0tM8bs5p0Q4Q', 'P9X', 'vmethod_0', 'OSucCKDAZ1R', 'imethod_0', 'OerX3RcRW6qjVLu0VrrU', 'dhG7DXcRePJxCmdIc600'
Source: 4ra1Fo2Zql.exe, nABh0Kys1MN46ZffL5J.cs	High entropy of concatenated method names: 'AjGtDpckSwgdICKMH3ci', 'cA5XYwckqc9FTZOjVOQt', 'ulTPQBckJKmf6j91WeId', 'Hba50pckVqVcUINrpbxA', 'H7jdAxedVd', 'aZuF4BckYGZtoGOJnv0U', 'lg5ghsckwi7kWkd1NZ1W', 'u7dCkVckxr7Q6oJ9RosS', 'IXy6JLckOR53rZIX1OhW', 'tR2QAfckNSnll0dVyJCf'
Source: 4ra1Fo2Zql.exe, UqUu7p6aIXKD1Jfyfpd.cs	High entropy of concatenated method names: 'omG6nafVoJ', 'BHS6Bfoni8', 'wHe6FMXsVw', 'Dgd6pmFCp8', 'mD26f7r79N', 'McE6lS3ThH', 'faL6RlJcUM', 'kN0683phGP', 'edC6krdgt3', 'sau6b1MxUP'
Source: 4ra1Fo2Zql.exe, LgJrts62MAVfKLajc7D.cs	High entropy of concatenated method names: 'FTjc5pmK0q4', 'KHWc5fOv9YL', 'D9ac5lebFQc', 'rjAc5RQc5QP', 'lumc58aM0gn', 'apOc5kfB485', 'hRlc5bcQixZ', 'qO1AGrEADa', 'VOYc52bFKR7', 'Sf1c5mIg8ae'
Source: 4ra1Fo2Zql.exe, K4Kx3sNmFb8h7ZRAOdA.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'knJN9CK56r', 'tcqNElYWFc', 'hsQNT2CQAE', 'Dispose', 'Af3XP7cguYf9AWumsLBy', 'MO271Icg9U1aFLQYi5ua', 'fQFYM2cgEvwaTpWZSBFP', 'U855KxcgT2QgBDlCVWZs'
Source: 4ra1Fo2Zql.exe, tUhWhiFDEretVj0VSwR.cs	High entropy of concatenated method names: 'GH3F78FRrT', 'XVnFQXvaO2', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'O1rFhxv1ql', 'method_2', 'uc7'
Source: 4ra1Fo2Zql.exe, M70500G29FF1KspfaIr.cs	High entropy of concatenated method names: 'q64', 'P9X', 'iiUcCdUwcsD', 'vmethod_0', 'hPAcD5aD5Wp', 'imethod_0', 'yHKRJMcFtq8P2W8BVEgY', 'Bg0fyWcFgOCs1RWKOJsC', 'LAh40icF6GtJMUJpbUnL', 'q4xqrlcFA10ZYwr8bpGP'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	High entropy of concatenated method names: 'Eh3wu6c6U2NXq3OH0i04', 'fsRJyZc6ItU940W7BfI9', 'iROgYC8i59', 'ASsjpwc6MWdk3p6HHEbv', 'bdhie2c6PnqV6FrbVi7p', 'P3jnghc6K5bFUJEwqlAs', 'f8sAnKc63W3L8g2L6WE2', 'JQFE5Kc6nvBbLBsgyKZU', 'Y6EiaLc6BZQFVH5oY9tO', 'InpuMhc6FW7ZxuJiQ7HQ'
Source: 4ra1Fo2Zql.exe, XBqvsHCMnuXoWheSita.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'RRxcD1mn3ir', 'vnWcCcgqcIs', 'wYUONtcBPTryoXA4XPpk', 'MG5652cBKBGRKij6RI8B', 'Nd5nMXcB3VUeUGo2KNjM'
Source: 4ra1Fo2Zql.exe, KZdqMw5l3AoIJlrSqTl.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'Oc2cD7Kxfw7', 'vnWcCcgqcIs', 'V6rTBpcpSBM3GicUUf7x', 'GpBtvYcpVQ21VE8G7Dhj', 'zara7OcpH8rnoKGGo9ra'
Source: 4ra1Fo2Zql.exe, avLbHS1Pps7sMlPbrMt.cs	High entropy of concatenated method names: 'Vkr19Jl9N6', 'Wmy1EYb8jy', 'IIf1TF1Glr', 'OUd3NxcnEPfOqxscLIY3', 'z6rWVNcnTeDH6NehStYn', 'sFMiUPcnuAqBuB6nnwOQ', 'eqdDXrcn9uUEswNu8gqK', 'Fh913Ojdev', 'dyi1neItpN', 'B6N1Bo1xfE'
Source: 4ra1Fo2Zql.exe, m2qHExicItpUidZ31pB.cs	High entropy of concatenated method names: 'lyPi1ZYANh', 'q1oiCf1XUp', 'kMMiGXUIG6', 'xI53dlcfhOVvcL3VByru', 'KB1GTccfZxEagedTYhAO', 'sGt7HocfdvUJPLFx10TO', 'g0AmpQcfWPHh8p5H8VwN', 'o4gqbucfeL6FH2HfR1Xy', 's5uXT0cfL4A56oM405ZH'
Source: 4ra1Fo2Zql.exe, uXTmSC0NO2d5jpYm1pJ.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'H5J0gnOfM9', 'IUscDahP1uZ', 'h6WifOcuTMPZ0SB9depL', 'r0PZWtcu9Z7rkbhje4Wg', 'DfDIN9cuEgjBoDsQ0HnS', 'ehpEWucuqRAXdpRkmJck', 'ACfYhJcuJLBfTMj9urRR'
Source: 4ra1Fo2Zql.exe, XXDe8xIZBsdu6ciAJDW.cs	High entropy of concatenated method names: 'wBKscWJJoW', 'zArn7QcE2dnrwWJpiibw', 'AmEBQAcEkjLrG3x0KTaq', 'Fqx8ticEbe51f48CFaUt', 'LxD0AAcEmrI71ykWUT88', 'k7pIW200hS', 'kUSIe7Is3q', 'J6hILAM4Pv', 'jw0IrCiS7x', 'E5HIaoxP3K'
Source: 4ra1Fo2Zql.exe, VMIFqTiZm5Ky6nXBIYi.cs	High entropy of concatenated method names: 'P9X', 'W8rcCogNp6l', 'vmethod_0', 'imethod_0', 'MEaSN8cf3jXn6iY0LU06', 'UibaqUcfnhSukndYAQPB', 'sFFweOcfPokZxX2C4jcF', 'OVxsXycfKc1xyAOFEcMq', 'WJMS2TcfBGSTpk1O2qy6', 'TEfpiwcfFAIoBA2xDCmO'
Source: 4ra1Fo2Zql.exe, hlPwhFYkPiwtLDfVFrT.cs	High entropy of concatenated method names: 'OMtcDPW7IY7', 'Brwc5MeUBJ0', 'hKZOA0ct36efE9Iq7Ylk', 'Gt8GyCctPfryg9lvcGS8', 'lZrEO8ctKpTHVOhfdXGR', 'La44Rfctnyi2F8MuLn6G', 'NuR0rvctfCQLoi0fDuP9', 'FiDg1MctFhCRsjfqKUrg', 'mtejcjctp5Z9eQwh6vU5', 'imethod_0'
Source: 4ra1Fo2Zql.exe, t66nRMyv3aDp0Ot03wK.cs	High entropy of concatenated method names: 'iWmyCCwdCG', 'GQ3yGAnhiM', 'VLFy5ssZeC', 'efByiRF9kr', 'HGOyDbOj9w', 'PDlyy1yBoZ', 'S9hy7SSIUO', 'bZZyQaoeY1', 'kG6yhqYuG3', 'nH8yZnGKNx'
Source: 4ra1Fo2Zql.exe, BpNXecUGUR94nSRnStG.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'EgWUi9mp1U', 'vmethod_0', 'jKVUD8HYHV', 'xxScDUPKgIl', 'tIK1ZccuzbFceyii8qMg', 'NPTBTxcu6EYsdap0IcIy', 'GBkurVcuAmJYEqr3ASDH'
Source: 4ra1Fo2Zql.exe, kCPAeIE7dMhPOEPqNk.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'WswqXrbpC'
Source: 4ra1Fo2Zql.exe, xQPLDIbFPja6FvsA8Kq.cs	High entropy of concatenated method names: 'SDZbfcct7k', 'DviblE5dUF', 'Ty0bRGMZQ8', 'UuCb8OwPJ1', 'Vkubkr8Gls', 'shmbbqn3wA', 'KrTb26DBWC', 'zktbm4k5Pd', 'II2bucsCHo', 'EHab9rRUVQ'
Source: 4ra1Fo2Zql.exe, DFqLFmswRgyPgqrFBMx.cs	High entropy of concatenated method names: 'F7csY2tFEI', 'PgUsOE7g6r', 'Q8psNNATrq', 'jdCst7G1v4', 'BkEsg1oCf4', 'MC30e1cTCRJaLaWSqwJ0', 'Sg1dNFcTGkXrL8dLcUkg', 'fLTrZlcT59juKGQPe5dD', 'brvtvKcTihNd1cLJJMgx', 'f3b2TCcTDUInmcVfLUZ0'
Source: 4ra1Fo2Zql.exe, oFr4nZGe6u1tpqFoDPF.cs	High entropy of concatenated method names: 'b8yGK9SNOU', 'thDG3XJbkd', 'AUhGn9QsLt', 'Rs2ugocFTkj9fn0Lj5qw', 'cY1t2bcF9yjo8oHpZDft', 'hlCcVmcFEa2yH1CHLh0v', 'O6OJrgcFqmS21mJdjV0d', 'cuRGs0T8bi', 'KwCGX6EjMU', 'bBmocXcFmmClUfsqOTpI'
Source: 4ra1Fo2Zql.exe, suSCHg3AQdKG0D3ACY3.cs	High entropy of concatenated method names: 'Y9mnjtANun', 'PGIncdTtAE', 'kBxnvlO6tC', 'hZTn1nlxbL', 'MYHnCWDUyM', 'ktvnG4ahir', 'bw4TLEcSD6ndpntXFGNY', 'QgrsrHcSyZIMNoHcNfV8', 'dXpqdZcS7WYZLneAtmvM', 'Sk4SbKcSQL0Q7d11sxBy'
Source: 4ra1Fo2Zql.exe, F7ZonGfRprCjvdLnpSY.cs	High entropy of concatenated method names: 'Close', 'qL6', 'DV6fkeQUh6', 'I6Mfb4agPt', 'Ygsf2A4k3C', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 4ra1Fo2Zql.exe, dYobUE5XQa9s2vONC6a.cs	High entropy of concatenated method names: 'SoL5FmUSuU', 'Ib2Un0cpEoRoyLWw4fR4', 'Ddnl55cpuIi0M067uuH6', 'BVdJFAcp9grTSCCVDv9b', 'TiwBVbcpTDjnuUtknm9b', 'gnpP6Gcpqbu5fF2Qvq8h', 'E94', 'P9X', 'vmethod_0', 'srUcC04vrHO'
Source: 4ra1Fo2Zql.exe, n3Bscv4bygT47v5nT1Y.cs	High entropy of concatenated method names: 'xF74qP8ysw', 'Jk74JH1nFf', 'UWS4Svo9RO', 'MUo7Aqcm07b61keqi7b2', 'ws5XpgcmacuZ0f4uhrST', 'thgJiFcm4tYWmZgfDpQb', 'GKU4mRtxmT', 'pvv4uOLHcB', 'mTE49Bv4n7', 'TUWhS0cmdW3fUZxXYibm'
Source: 4ra1Fo2Zql.exe, G60nIvD7EnbTUJB9AfS.cs	High entropy of concatenated method names: 'iVcDhqpOZt', 'qtSDZO8NiX', 'UrYDdYgoNP', 'YsB1GNclMu3IQM3jVRMw', 'M8OkQpclPawdtC5AES4J', 'NYhq3WclskWrPg2v08h1', 'GqXxp8clXRt4SpRGKN6o', 'I4lM6PclKM4D4Zont5K9', 'CCOSrDcl34P06kT6XvtY', 'HkI7LvclnKwNyRXwItoQ'
Source: 4ra1Fo2Zql.exe, lcgjMVDK38b57didclW.cs	High entropy of concatenated method names: 'x7IDn4pBXK', 'QyvDBMoOMH', 'S5HDFv78KB', 'SQYDpKPIfF', 'FWqDfZqlfP', 'p37Dl2dc2U', 'SfSqD6clAnx9BxjsnkSp', 'LPlhVxclzZ8i4heUuQxS', 'Wuqt2pcRjtLFUMqJfny0', 'l4JXOfcRcmu1qOHJnmRV'
Source: 4ra1Fo2Zql.exe, leScgRBAiEKqteybUbS.cs	High entropy of concatenated method names: 'JHcFjC4DeD', 'oW0FcXmOmk', 'Yd7', 'TGWFvFq0g1', 'v3EF1Yeq1B', 'qFSFCKYuWI', 'IfGFG7b4Q4', 'Cc3ApicHDrcdRaavHm78', 'yHwaR0cH5fGaMPZjnd5E', 'cmb2s6cHiQcMZYwn1I4Z'
Source: 4ra1Fo2Zql.exe, MGkHTiGwWqQBJJUxvV6.cs	High entropy of concatenated method names: 'VY8Gg25yPP', 'dwvG6OS8kb', 'K6UGALgHwy', 'M30GzWJhSK', 'BmO5jbilrU', 'hNJ5chM6x7', 'WYu5v1ovOu', 'QE6T9wcp4cEtaO6Qtcb6', 'uIPP3wcprLZ8aN0L2k3U', 'XeaeFXcpaNUPUKrdWx42'
Source: 4ra1Fo2Zql.exe, LElZEBiywA8CeEoRPwZ.cs	High entropy of concatenated method names: 'l7oiQvApa3', 'MnVihFX9wN', 'i5ms3ccf0xdn9BPsQBG3', 'wERRcacfak8vk6N1T7mB', 'OQfN1scf4e73Mm2BIbgD', 'D2qkGecfURwtBcTxS1ho', 'E9G7VPcfIjnNBoRrIjQU', 'FO59PIcfo7bBlfUb6YjE', 'rijri8cfsbqfBjaVoBDt', 'pTXPyZcfXTREIZvdi7VN'
Source: 4ra1Fo2Zql.exe, CCvJFOnmi8MqYguZx3Z.cs	High entropy of concatenated method names: 'udZn9vT5qJ', 'jlgnEiPO6X', 'ChRnT98afM', 'gh7nqJ3WuC', 'lMTnJKk1lU', 'nuvnS8JjVf', 'pZHnVqu43n', 'cYqnHJVEir', 'TtEnwkqyjk', 'Y7FnxZNlIZ'
Source: 4ra1Fo2Zql.exe, dogL2scATqm5CBE3gnJ.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'ENCcDcPkcI4', 'vnWcCcgqcIs', 'Lr6Qgbc3j9rrXhaBEvwL', 'auv78nc3ctDQujKPVum4', 'ulTuGuc3vlemnNocrOyf', 'odoFhUc31pP46ndk8yHa'
Source: 4ra1Fo2Zql.exe, uJHsE8GEU6s7g1KM1q6.cs	High entropy of concatenated method names: 'MrmGVYigSG', 'TrWPCpcpyZGRucJWqeeX', 'xIONV8cpiNiavrY8XXwq', 'GDeCHgcpDOBAldeRKbic', 'AY5jaYcp77M0A9c6rjJr', 'U1J', 'P9X', 'zhOcCeEcBnE', 'cGmcCLkrS23', 'pV6cDiMXngk'
Source: 4ra1Fo2Zql.exe, gNhdDOnFZ08FxLXBCfs.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 4ra1Fo2Zql.exe, KjvT0dMs3YQguG4p87v.cs	High entropy of concatenated method names: 'ylpMM5qPkC', 'qqdMPUsJdl', 'EjkMKvdQsQ', 'lpOM353gUp', 'mKVMnpkyj8', 'Mp3eH2cqGNrV0g3DgXTh', 'z2tGGVcq56bt32Cjx5pA', 'vdm2rGcqiQFoDdQjtPNk', 'TpxEwbcqDpDSUfIdS5Z1', 'oa2UPscqyKmnCb4sqRs0'
Source: 4ra1Fo2Zql.exe, zyIMZ4K1lmP8y7jb09Q.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'QJdKGXRcpw', 'Write', 'rIwK5lmbou', 'g4hKiSDuF2', 'Flush', 'vl7'
Source: 4ra1Fo2Zql.exe, eu4Juytj8syog843X6R.cs	High entropy of concatenated method names: 'yLUtCCC8a8', 'p9btGRsa8e', 'yVFb7lc6jLpmZovYws7W', 'iZqYqrc6cFaSlC6uSNMH', 'OKmkMlc6vGUHCncAqKvA', 'tHh40pc61jWXSNJp0ooC', 'paXrYjc6Chb1iJttPLk4', 'KUPtv6sVMk', 'jybJfRcgg0Zfj5hcS3W4', 'Siwy33cg6CcDrrgwCROZ'
Source: 4ra1Fo2Zql.exe, dY24pPC495cqBg8hpMO.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'XmFcDvrRayT', 'vnWcCcgqcIs', 'UPHpXfcBUKb06vixJdu7', 'yyl0VocBIoBFdf6knp3B', 'Ah5UjHcBoYrm3lTXrMpQ', 'sZXOBDcBsJ6109QEOr5V', 'G44b6LcBXmB2nFn0UhjI'
Source: 4ra1Fo2Zql.exe, OT2fhhbTIUTxcPNvcmZ.cs	High entropy of concatenated method names: 'W36cDXVLRBc', 'XN1bJlTGJ8', 'g0DbS9HLhw', 'dK4bV0w13s', 'UvGYVDcYuOmpnWUFmB09', 'gl4aT0cY9gRSJoBwANFo', 'oW3jNucYERZsm88XnZA4', 'QacR5GcYTmi4H6pAnxwO', 'shV66mcYqEpmNcrtKu3w', 'o58blwcYJYbODoNoyxLC'
Source: 4ra1Fo2Zql.exe, DKKIfSNFCCxQDUka87n.cs	High entropy of concatenated method names: 'c9rNfXJGhS', 'zLqNlR4UcA', 'vIvNRcCXO3', 'OMoN8IXpAn', 'Dispose', 'VFDVVrcglepHk4ZOJd4a', 'k7fgITcgpEbXjZv9OeiA', 'jcTyyPcgf5IepNc3svPM', 'X6Fy6UcgR6nBQgyadIxp', 'aq9ANRcg8xAxUXxtD70u'
Source: 4ra1Fo2Zql.exe, GcbayIGlb8oSTZlMk62.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'DPScCQZ088T', 'nGbG8KfZh1', 'imethod_0', 'JgqvmucFSyWEAbWGop81', 'gcUbu2cFVTlXvtpxijfv', 'NpyYpEcFHBMXofmHq43K', 'rej3HJcFw1nasPbGgiSW'
Source: 4ra1Fo2Zql.exe, fQanusvHeXysFOfABrc.cs	High entropy of concatenated method names: 'QMN1ijTwVU', 'TVxlwqc36K0M7hrK4UYC', 'HjftWLc3Ar7rmvQaj8LO', 'B81gJwc3zHpKbAaXAQXD', 'csoVpecnjpUkhQKtSBHt', 'W99M6mc3tn7HTsfd6Kmg', 'CP0Wycc3gHH8SjmjjHuh', 'D3UbJ9cncYWpe0hjghLi', 'iSXuYXcnvhgXt3WuvMjK', 'BoP1jqSi1v'
Source: 4ra1Fo2Zql.exe, Pu3DSwC2RD7KEiL4vfo.cs	High entropy of concatenated method names: 'GXVC647Cuu', 'SDJE2ecFyHJfbTNcG4sd', 'WttO5JcF7KwtEVQdj3jC', 'bxmQcwcFihAf2rh7FuTJ', 'CsfR4TcFDYwLvdtoLCsM', 'rKfSxGcFd9iZTlQFsVJ1', 'aMLDX0cFh2EiM4NjARRs', 'YWOD0RcFZtX4FybGn9L6', 'oqP2njcFWSusulSfCymm', 'r7GG5q0gv5'
Source: 4ra1Fo2Zql.exe, TJhJRrlH1sgNhHgKGUf.cs	High entropy of concatenated method names: 'iX3aHLcxetRwaQ4NtLAX', 'bP4PeBcxLU7dUGaCFYIj', 'wns0gocxrMAaGAhfViMy', 'tL4lxwmbHn', 'Mh9', 'method_0', 'cWRlYYPAox', 'iTUlOB38RA', 'sJ3lNtuZPT', 'u9Ultl3tYr'
Source: 4ra1Fo2Zql.exe, iXuyu34YOBnWV6rGi7U.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'oX8cDZ3EnFt', 'ChqcCqi2EH7', 'GiPQNGcm3AXAqYpVXRNg', 'nTrEXncmneWdfuNNirkb', 'k3MWV9cmBBsM83yofyZY', 'OHK6PYcmFiUygrtoVKiX', 'z8mglgcmp79VQdqMtZkp'
Source: 4ra1Fo2Zql.exe, hgWe380VnaRJmLpIeVr.cs	High entropy of concatenated method names: 'wq9cDLEuKKJ', 'GYi0w2HSb5', 'V9IcDrmyrDW', 'I6NKxRcu8rEAQpWRoX6I', 'fFLEKFcukJqqsCu6xGRk', 'smfAWYcul7LtxX8uw8VL', 'NAek3CcuRgoHvmQ9rPwG', 'TUsddNcubdvGRPpXDb5M', 'aZpesQcu24MonfdogW2K', 'vcXxDAcumIWLhHUjmAqL'
Source: 4ra1Fo2Zql.exe, Nx7HEtWQNP1A41ZuSaw.cs	High entropy of concatenated method names: 'Dispose', 'IUZWZ5evf7', 'paQWdpGF3Y', 'U5MWWQJonV', 'b1NnO4cb7dYVGLkJwiXI', 'GmLmNbcbQNcyJY0WJWJp', 'ziu3t8cbhl5qOHVF2KDx', 'TrgHSvcbZTf4f8Osm6FP', 'zeeiIBcbda1sFVV4YHZJ'
Source: 4ra1Fo2Zql.exe, Qon7Cv3x2nEwjN7u77h.cs	High entropy of concatenated method names: 'XkV3OrRBsm', 'OSS3NTra2J', 'LNH3t3OJkG', 'GEC3gaqtF6', 'sVR36fRRkj', 'nrwuftcSvUmF3lswSYBF', 'dtGVf7cSjOm5OAI7SjrA', 'THxVGncScDvl8B9Uqy1L', 'gTvUG8cS1fUallXMFFNh', 'd8kwg6cSCIYvfGGtpwMt'
Source: 4ra1Fo2Zql.exe, DB9M1HydFgb7nonCfFL.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'OofKgucREhv9J3wt4878', 'zT4MFrcRT76uBt4SVKm5', 'Fhj4O8cRqjvgcM369q6X', 'gdqyeumpF3'
Source: 4ra1Fo2Zql.exe, VPXbnP0djxnfTVe42Tm.cs	High entropy of concatenated method names: 'CTP00GRtFj', 'VpIwBWcu1Zrytnw7cKPa', 'RjwRQucuCs8FtjKy9QeQ', 'QyvG1ucucVr7I7NaVnDf', 'DNeFTqcuvoj1wAESO2y4', 'e26ENZcuGY7nTHmlye47', 'UAi0egA9SF', 'd2BKVLcmtEbHBwYsj0pb', 'FBPqATcmOwdpe8Lflf9D', 'RL45ErcmNZsrihK2vqBA'
Source: 4ra1Fo2Zql.exe, aVe74o1HUFWPtYIyrYU.cs	High entropy of concatenated method names: 'C23C1qPgYf', 'bhSCCuFmUD', 'QCBCGCklN7', 'JdV4rMcB5LCskngOqe8S', 'E6pTpBcBiE7RC7IffyBp', 'cTBxNicBCUdnEXy1mUgg', 'CrEnMQcBGqRUr2iGbUnn', 'sYACQEQA3Z', 'qt5FbLcBQixWBuWex1Vw', 'a74YJ0cBy986HBqNfB0L'
Source: 4ra1Fo2Zql.exe, IV9cyv2FFYTATxIxBVw.cs	High entropy of concatenated method names: 'KW62fPltq3', 'HlO2lfHeXO', 'LJa2RQZRci', 'M4i28OP73l', 'lxj2krDQ71', 'jFL2bp0Jfj', 'KpF22e23g9', 'qZb2mbn97G', 'wpu2uGgihJ', 'X2i29bbE74'
Source: 4ra1Fo2Zql.exe, HUrRKiDIw6cvRFMn0mo.cs	High entropy of concatenated method names: 'psqDsGXrwv', 'c5iv82clJRiDt2YT0oc9', 'g6xDiGclSUSJo9BdBA9R', 'Ge6iBYclVCoaZJ40jxxh', 'bFdP82clHTgbWI8LLoiq', 'AZINJuclwMJvWQAA54Mr', 'OO4kgYclTb9e3Zcl5Gqm', 'kv98puclqmD4nukQs5k4', 'iPGyQVclxtSW8qVZ9iDg'
Source: 4ra1Fo2Zql.exe, yhMBD4s7wNk7qAsjsr9.cs	High entropy of concatenated method names: 'hgysFExdvU', 'kipshBl2x0', 'AbHsZUXL8L', 'cB5sdUO3NM', 'VvHsWBr1MC', 'mLrsewh37m', 'OmNsLqEVqN', 'eeTsrGXv0g', 'sD1saKL0Jl', 'B9ts4ZG1V2'
Source: 4ra1Fo2Zql.exe, YSnMSvPQ1Ormf4YLlJ8.cs	High entropy of concatenated method names: 'UGrPZdWIlT', 'k9JPdGmR6Y', 'cm3PWGGLKF', 'tYtPef8wjm', 'NYnPLIyX2F', 'hdDl96cqMZAWjF7NfOFx', 'yAU8yfcqs2aNHgteotZF', 'd3B4p2cqXSfiu2X4NBYE', 'VoMofKcqPyI4gGtZCBjO', 'bBBxQlcqKIDXD9PlEawa'
Source: 4ra1Fo2Zql.exe, etFV6Q8RsMPCOytDGjt.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'FOMflhcxqLXS7Qhwfqe7', 'uVc5IxcxEYk0kJW4GNx7', 'IpEgUScxTP5pO7EiNX2t'
Source: 4ra1Fo2Zql.exe, tUEkmFiuw8NuO4CGsZ8.cs	High entropy of concatenated method names: 'EItiNZnAG4', 'ykoitiAEZs', 'QFgU9MclhsYYTH8fk5Sp', 'hcyqxBcl7ggyQiw8iTI9', 'WHIgH0clQm7ZFFENLO3P', 'L7WUqwclZyEiFgtGP1Hu', 'AvPiE5YN3E', 'DD4iTY0TLF', 'wyXiq87WPy', 'TsDiJLTKIf'
Source: 4ra1Fo2Zql.exe, TR8Tju5ug4lftAofk1l.cs	High entropy of concatenated method names: 'R5Q5NA9JYt', 'CPb5tlT6XV', 'RQI5gNj99V', 'jD566icfykUmGTdvmnFA', 'bIJPDucf7A5qI1o0h7F5', 'mbY0Fqcfi8HAqSRjqkUv', 'CsBAgecfDndY9obHYUsR', 'o0G5E2L24f', 'O6g5TA09TH', 'gac5q7QflY'
Source: 4ra1Fo2Zql.exe, sCysD0GysTxMGnuL2OO.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'RZNcDGGny9k', 'vnWcCcgqcIs', 'jg8bFFcF0Iwwx2Ccin00', 'IAaFM6cFU27yHW2gulhu', 'sFXwANcFINTNqA3dEvag', 'l5H0oMcFoi5ioVTMIZZo'
Source: 4ra1Fo2Zql.exe, nDbLvo3qVLKVJF7sP1m.cs	High entropy of concatenated method names: 'pGZ3SkMnhw', 'Ise3VnKgj9', 'q8n3HDL2k7', 'yFHfgjcJNcDIymf9fpcW', 'j2UJi3cJYXKkQKI6FgPs', 'XSb8OUcJOg6MxgXAtm0b', 'xJj7umcJteC1YhauhqqQ', 'hEiV5FcJghVS2cgklb29', 'sTsexFcJ6clQISHo9k86', 'MA4iSecJARrFTqtccJ3r'
Source: 4ra1Fo2Zql.exe, y2cQVhbyso8ZBUkcRvA.cs	High entropy of concatenated method names: 'FgKbXwtqJU', 'trFGJPcY3bpmOwHJA5Ao', 'D9SFPUcYnCBEjnrkBIR4', 'hSwVuccYPVa7d5eaxYWZ', 'wG5vhmcYK2jJNLsqepfl', 'PhwHpDcYB1NQBKRowYCm', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 4ra1Fo2Zql.exe, Hi2iCjPFwOK39Y9KPHC.cs	High entropy of concatenated method names: 'method_0', 'jJIPfPp4yl', 'eQBPlqwxwg', 'cvjPRreb8A', 'OWDP8IGZsl', 'G7kPkVUY4F', 'Ot5Pb0OtiT', 'wkjK0XcqkTZIU7I6tZYK', 'PuW6JncqRJWU2ULcaefh', 'qUgY6Jcq829jaO7YkxmM'
Source: 4ra1Fo2Zql.exe, vOSyaTvGSDci05XbLCs.cs	High entropy of concatenated method names: 'FfTvieBunt', 'OaRvDmy10u', 'qWAvync7nu', 'Hvfv7NlMmb', 'xXM5FMc3WSVPLIi2b1jF', 'jcnBdnc3ZAfnXQenQcey', 'hjC7aLc3dZLrx7Bx3sXa', 'OPoOBoc3eGrZIsbRu43B', 'FC1qI9c3LtlP4QNZtcAY', 'mMDcgvc3riCek25bfA6V'
Source: 4ra1Fo2Zql.exe, KG8EEGpUc9XH9hEnkVj.cs	High entropy of concatenated method names: 'Fi1fds1NWo', 'N5eMsmcwvPZb7YVXXwOe', 'mcADgqcw1ddyWnmgCZ4o', 'kt5', 'uUIpoYuMgx', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: 4ra1Fo2Zql.exe, FkLS7gDLVM8h3jrb8Jh.cs	High entropy of concatenated method names: 'Ga1D0C5FLK', 'UiH0FOcl9fcl86h6l18A', 'pqS4Zgclm4GihxYYRC72', 'QiWnUIcluy20ZJqha4iv', 'vQqDaSg7UD', 'TbjUUkclR7anoTD1prwG', 'fHIoqBcl8LpvYuLNwSUD', 'CwOgvxclkTPvRti6pd2c', 'AmsDEMclfY7Id1DUMQdi', 'ALG8VbclldV1yExKXPpt'
Source: 4ra1Fo2Zql.exe, wnVArrWogH7KjABKws0.cs	High entropy of concatenated method names: 'wNd4ZUfLYp', 'e3P4ds6WGo', 'vQjqw0c2OhGRhLtFYJQA', 'sBVBMjc2x8mubneffZIu', 'fFVZCqc2YLgRvcU9vRel', 'tBhwmwc2Nf4TMYTLifPk', 'MRf44BhLgY', 'fnGCTPc2gvYPrPFoKNf2', 'M2mdX7c26wWJSn3kHbiG', 'YZkaJZc2AXOhWgwtP3XV'
Source: 4ra1Fo2Zql.exe, XrgwotBTm4DxLoN6ZYc.cs	High entropy of concatenated method names: 'vVQBJaLQHB', 'DF1BSLqiu1', 'iXOBVBjpVX', 'qKwBH8AqjC', 'KSiBwRKKFw', 'N5iNiQcVtFJG68Z1oPhT', 'xyGU8WcVgbIQJDEaRfjW', 'wbiXgncV6XGL7Bl25ID1', 'iLudcYcVOUy51wDRfCZH', 'XivmticVNMV1GV29jUs9'
Source: 4ra1Fo2Zql.exe, UcNwSr0ETGRuQRnTxSt.cs	High entropy of concatenated method names: 'iGV0qqHH4x', 'oKV0JdSsAg', 'O130SbJ4VT', 'NoQZUWcun58loggP1feT', 'fSQPGScuKr2illI3LRYb', 'LObjWGcu3I34wwpV33aF', 'Rt7qJLcuBVWXQxuNjbAO', 'Ys6GyPcuF53EhO72R6wo', 'g2EALIcupLoGi64px8Ed'
Source: 4ra1Fo2Zql.exe, vMm4SAXEFg3QQNHt6xw.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'Mh4XqT4DCI', 'oWkXJBLx8q', 'Dispose', 'D31', 'wNK'
Source: 4ra1Fo2Zql.exe, QcIWbXfHqXy4gM2THdQ.cs	High entropy of concatenated method names: 'qrmfxjhNBP', 'k6r', 'ueK', 'QH3', 'GsnfYctrJq', 'Flush', 'aGUfOpaF4T', 'vuBfNF9HP1', 'Write', 'yYKfttmARc'
Source: 4ra1Fo2Zql.exe, yKLFTS2tKygjw4mmtKv.cs	High entropy of concatenated method names: 'yWl26oVfAb', 'Iuj2AEOcdl', 'Clu2zAkI2K', 'UPdmjkvvPx', 'sNLmcxvVc4', 'CQJmvQlZUt', 'Nhvm1gep81', 'rvwmCbrnaH', 'acGmGPl8Uy', 'ckim5F1vcb'
Source: 4ra1Fo2Zql.exe, eyoEW5UcN4RK4Gyefrx.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'GtycD4vw5jk', 'PDIcD0lge8N', 'WrGHPQcuwKEZvvUdJjh8', 'KLTaHccuxavdDlNIRMaR', 'JXnN7ncuYdmBv6m6Zcgg', 'UqFbaNcuO8eUALDaT4xI', 'ix0a8GcuNCRVH4G9MBA5', 'KOilHocutmn2h0eYTW5D'
Source: 4ra1Fo2Zql.exe, m6OFPnDm24BVmsEjggm.cs	High entropy of concatenated method names: 'P9X', 'vUrcDhfCWe1', 'imethod_0', 'hqGD9axyHg', 'DhP6qYcRiFHTOQxsRjIS', 'oOFPqpcRD3uZyPqxwB7e', 'cyDxXPcRyE2BB1GA1t0r', 'SJUrMXcR7AcTv9lK32lN', 'eXvXjMcRQJ5aIK4i43J8'
Source: 4ra1Fo2Zql.exe, yjf4BF43BlrZo9v9RXe.cs	High entropy of concatenated method names: 'WJ848o4Ke7', 'wXFQYMcmQOWJNbLp4J6P', 'J9shwncmy0vT3mpCcvtV', 'FUq118cm7uNitjusc3ke', 'B4Ngp5cmhgHyq3u351b6', 'gJK4BkONSr', 'mOH4FAcQgp', 'kUA4p6Ii2b', 'GNe7l8cmGZpm7vuSoWpk', 'L8mIhdcm5LO2NQrTJ6Mq'
Source: 4ra1Fo2Zql.exe, t08FVnvFBoPDGZMgM8T.cs	High entropy of concatenated method names: 'I1ZvuExKeI', 'nh9v98EVS5', 'KqqKZ3c38qjKKCABTk8s', 'J654LFc3kRx7mWGsgEVL', 'wA7vJ8T36J', 'f81dWrc3u5u5iiARXe5G', 'AvSCDjc39BDDTPN0Jq7L', 'SE5CEqc32HohDy1hc1Xc', 'NDFr7vc3mZbLpUlw3ngs', 'jk5klWc3EfovCUTPy6tH'
Source: 4ra1Fo2Zql.exe, d1UH2ei4FhydddUy7fo.cs	High entropy of concatenated method names: 'AXRi3bPESM', 'MfomDQcfJhUpaxBxbA4E', 'my2RJdcfSexVt6wS74a6', 'mrFioJcfTkllGdVrU9OR', 'dHSVp3cfqugyfRROhkwm', 'wsuC8wcfVxO4kT5vki9c', 'YPexflcfH642ey3du4RV', 'udSiUIrJiR', 'Xp1iIjb3Tu', 'Al6ior499S'
Source: 4ra1Fo2Zql.exe, VYVXbHUesxlnOWEIBWV.cs	High entropy of concatenated method names: 'n9saE3c9BYr8w7v6XOar', 'Q3KV78c9FsUQBHEaj3En', 'ewxoMpc9pbZOcS9j9Vkw', 'ReEyatc93TLReKwn9LYU', 'gDeqCMc9niNhTUhviG4X', 'method_0', 'method_1', 'kryUrIYEL9', 'yGoUaXi60L', 'PBBU4iMZj1'
Source: 4ra1Fo2Zql.exe, DDFQKBFg5J9JxUEKt0v.cs	High entropy of concatenated method names: 'C5rFAoEwjg', 'bsIFzpeOut', 'AUgpj5ZqlP', 'i9Ppc4XOwj', 'hhZpv4MmOY', 'MG3p17aY9T', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 4ra1Fo2Zql.exe, GGkOJOz9cBhq6YIyTj.cs	High entropy of concatenated method names: 'RFpcckVdhe', 'L1Fc129e92', 'MJAcCDCPlC', 'WDUcGDBein', 'WiSc5GRQck', 'K4ociM5yXV', 'Hjgcyc8xsb', 'R7clsucKixPxAoJZZCbH', 'jnkvoTcKDMexp7vNsoAJ', 'qmKBWDcKyG38srF9unDn'
Source: 4ra1Fo2Zql.exe, M1aS8QKuM4yePZFygnv.cs	High entropy of concatenated method names: 'U3TK6hqSp1', 'V3oKzmGBLS', 'ttGKEpZZMs', 'emeKT22FmE', 'RYJKq8Erac', 'O8nKJmMM46', 'HFqKS0s5WR', 'TjPKVZZrJk', 'L0uKHnmuFA', 'EVyKwl4p22'
Source: 4ra1Fo2Zql.exe, bVjfStMY3rChacMXOBv.cs	High entropy of concatenated method names: 'tfmMNwj4Gu', 'yLlMtNrxkb', 'rGXMghWYdy', 'gG1oxJcq4Phu9vi0bly7', 'upLj6McqrBNgWbC8pPEg', 'OG6RE4cqaF60viQXs5V9', 'A5HI7Dcq073xmHkqWE83', 'sfOYoWcqU7H0fYfSJ1Pi', 'no4UNUcqIUtVTAQbDBJT'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe

Drops PE files to the user directory

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\RuntimeBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\RuntimeBroker.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\RuntimeBroker.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1A7E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1B350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 2240000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1A450000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1AFD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 34E0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 1B4E0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1A8A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 1864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\RuntimeBroker.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\RuntimeBroker.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2076580924.000000001B759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2079535829.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `1\|pDn-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2192322493.000000001283D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 0000002C.00000002.2237357810.00000175DBE59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug
Source: C:\Users\user\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\user\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Users\user\RuntimeBroker.exe	Queries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\RuntimeBroker.exe	Queries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.211.144.156	621287cm.n9shteam2.top	Italy		31034	ARUBA-ASNIT	true

Contacted Domains

Name	IP	Active
621287cm.n9shteam2.top	80.211.144.156	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php	true	Avira URL Cloud: malware	unknown

AV Detection

Source: 4ra1Fo2Zql.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://621287cm.n9shteam2.top/	Avira URL Cloud: Label: malware
Source: http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php	Avira URL Cloud: Label: malware
Source: http://621287cm.n9shteam2.top	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\VTXhBlNT.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\MjzRNvWG.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\sTRlxExW.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\CAgBdTQY.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\IZdub348jc.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	ReversingLabs: Detection: 65%
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	ReversingLabs: Detection: 65%
Source: C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe	ReversingLabs: Detection: 65%
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\MjzRNvWG.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\VTXhBlNT.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\fuHfGerv.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\gwaXxxDZ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\myawJPbK.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\xxMkqOtN.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\RuntimeBroker.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: 4ra1Fo2Zql.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\VTXhBlNT.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MjzRNvWG.log	Joe Sandbox ML: detected
Source: C:\Users\user\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\cPGganVc.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\VLoPWCmN.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 4ra1Fo2Zql.exe

Joe Sandbox ML: detected

Source: 4ra1Fo2Zql.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe			Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\b4601131bf8590			Jump to behavior

Source: 4ra1Fo2Zql.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

Spreading

Suricata IDS alerts for network traffic

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49717 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49715 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49713 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49719 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49720 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49712 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49722 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49721 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49716 -> 80.211.144.156:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49718 -> 80.211.144.156:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 80.211.144.156 80.211.144.156

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ARUBA-ASNIT ARUBA-ASNIT

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /UpdatelinuxWindowsUniversal.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 621287cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 621287cm.n9shteam2.top

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:44 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:02:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 29 Aug 2024 21:03:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top/
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://621287cm.n9shteam2.top/UpdatelinuxWindowsUniversal.php
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, GrVEPTmsoNTbY.exe, 0000000A.00000002.2186917152.0000000002DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Creates files inside the system directory

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP

Detected potential crypto function

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E60D48	0_2_00007FF848E60D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E60E43	0_2_00007FF848E60E43
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E80D48	10_2_00007FF848E80D48
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E80E43	10_2_00007FF848E80E43
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E91635	11_2_00007FF848E91635
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E712B2	11_2_00007FF848E712B2
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E60D48	11_2_00007FF848E60D48
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E60E43	11_2_00007FF848E60E43
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E50D48	28_2_00007FF848E50D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E50E43	28_2_00007FF848E50E43
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E90D48	31_2_00007FF848E90D48
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E90E43	31_2_00007FF848E90E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E612B2	32_2_00007FF848E612B2
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E81601	32_2_00007FF848E81601
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E50D48	32_2_00007FF848E50D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E50E43	32_2_00007FF848E50E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E80D48	34_2_00007FF848E80D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E80E43	34_2_00007FF848E80E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848EB1635	34_2_00007FF848EB1635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 34_2_00007FF848E914BB	34_2_00007FF848E914BB
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EC1635	35_2_00007FF848EC1635
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EC1601	35_2_00007FF848EC1601
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848EA12B2	35_2_00007FF848EA12B2
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848E90D48	35_2_00007FF848E90D48
Source: C:\Users\user\RuntimeBroker.exe	Code function: 35_2_00007FF848E90E43	35_2_00007FF848E90E43
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E912B2	37_2_00007FF848E912B2
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E80D48	37_2_00007FF848E80D48
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848E80E43	37_2_00007FF848E80E43
Source: C:\Users\user\RuntimeBroker.exe	Code function: 37_2_00007FF848EB1635	37_2_00007FF848EB1635
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E60D48	38_2_00007FF848E60D48
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E60E43	38_2_00007FF848E60E43
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E712B2	38_2_00007FF848E712B2
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Code function: 38_2_00007FF848E91635	38_2_00007FF848E91635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E80D48	39_2_00007FF848E80D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E80E43	39_2_00007FF848E80E43
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848EB1635	39_2_00007FF848EB1635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 39_2_00007FF848E914BB	39_2_00007FF848E914BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E91635	45_2_00007FF848E91635
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E714BB	45_2_00007FF848E714BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E60D48	45_2_00007FF848E60D48
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 45_2_00007FF848E60E43	45_2_00007FF848E60E43

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\CAgBdTQY.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Sample file is different than original file name gathered from version info

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2085769625.000000001B7E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2080353775.000000001B7B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001C.00000002.2230154294.0000000002610000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.00000000031A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.000000000325A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe, 0000001F.00000002.2263574639.0000000003190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe
Source: 4ra1Fo2Zql.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 4ra1Fo2Zql.exe

Source: 4ra1Fo2Zql.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4ra1Fo2Zql.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GrVEPTmsoNTbY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GrVEPTmsoNTbY.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2058962549.00000000006FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@54/48@1/1

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\Desktop\xxMkqOtN.log

Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-ln07BHafEPq82yTj5rEF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\AppData\Local\Temp\q4lxag2s

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"

Source: 4ra1Fo2Zql.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4ra1Fo2Zql.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 4ra1Fo2Zql.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File read: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe "C:\Users\user\Desktop\4ra1Fo2Zql.exe"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
Source: unknown	Process created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe "C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows media player\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\user\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbY" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 6 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql" /sc ONLOGON /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "4ra1Fo2Zql4" /sc MINUTE /mo 13 /tr "'C:\Users\user\Desktop\4ra1Fo2Zql.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\4ra1Fo2Zql.exe C:\Users\user\Desktop\4ra1Fo2Zql.exe
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: unknown	Process created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\RuntimeBroker.exe C:\Users\user\RuntimeBroker.exe
Source: unknown	Process created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe "C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains method to dynamically call methods (often used by packers)

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe			Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Directory created: C:\Program Files\Windows Portable Devices\b4601131bf8590			Jump to behavior

Source: 4ra1Fo2Zql.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4ra1Fo2Zql.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 4ra1Fo2Zql.exe

Static file information: File size 1959424 > 1048576

Source: 4ra1Fo2Zql.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1dde00

Source: 4ra1Fo2Zql.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \System.pdb source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2199358921.000000001B952000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.pdb source: 4ra1Fo2Zql.exe, 00000000.00000002.2060132531.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs

Compiles C# or VB.Net code

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E64B91 push eax; retf	0_2_00007FF848E64B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E64790 push esp; iretd	0_2_00007FF848E64793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E600BD pushad ; iretd	0_2_00007FF848E600C1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848E61C9F push FFFFFFBEh; ret	0_2_00007FF848E61CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF848FC25D4 push esi; ret	0_2_00007FF848FC25DF
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 0_2_00007FF84925D1FC push edi; ret	0_2_00007FF84925D1FE
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E84B91 push eax; retf	10_2_00007FF848E84B97
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E84790 push esp; iretd	10_2_00007FF848E84793
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848E81C9F push FFFFFFBEh; ret	10_2_00007FF848E81CA1
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 10_2_00007FF848FE25D4 push esi; ret	10_2_00007FF848FE25DF
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E960B8 push edx; retf	11_2_00007FF848E960BB
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E95CBA push eax; iretd	11_2_00007FF848E95CBD
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E798E0 push 8B48FFFFh; iretd	11_2_00007FF848E798E5
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E78426 push ds; iretd	11_2_00007FF848E78427
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E64B91 push eax; retf	11_2_00007FF848E64B97
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E64790 push esp; iretd	11_2_00007FF848E64793
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E600BD pushad ; iretd	11_2_00007FF848E600C1
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Code function: 11_2_00007FF848E61C9F push FFFFFFBEh; ret	11_2_00007FF848E61CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E54790 push esp; iretd	28_2_00007FF848E54793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E54B91 push eax; retf	28_2_00007FF848E54B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 28_2_00007FF848E51C9F push FFFFFFBEh; ret	28_2_00007FF848E51CA1
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E94790 push esp; iretd	31_2_00007FF848E94793
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E94B91 push eax; retf	31_2_00007FF848E94B97
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Code function: 31_2_00007FF848E91C9F push FFFFFFBEh; ret	31_2_00007FF848E91CA1
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E698E0 push 8B48FFFFh; iretd	32_2_00007FF848E698E5
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E68426 push ds; iretd	32_2_00007FF848E68427
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E85CBA push eax; iretd	32_2_00007FF848E85CBD
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E860B8 push edx; retf	32_2_00007FF848E860BB
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E54790 push esp; iretd	32_2_00007FF848E54793
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E54B91 push eax; retf	32_2_00007FF848E54B97
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Code function: 32_2_00007FF848E51C9F push FFFFFFBEh; ret	32_2_00007FF848E51CA1

Source: 4ra1Fo2Zql.exe	Static PE information: section name: .text entropy: 7.554685403500024
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: GrVEPTmsoNTbY.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: csrss.exe.0.dr	Static PE information: section name: .text entropy: 7.554685403500024
Source: GrVEPTmsoNTbY.exe0.0.dr	Static PE information: section name: .text entropy: 7.554685403500024

Source: 4ra1Fo2Zql.exe, ex6u5CrEHFnwWAeLDl.cs	High entropy of concatenated method names: 'jTUlnAwZw', 'vXV3I3cPfubGLex0LY9I', 'eqxB2ocPF0UNM9kR7vnk', 'yZ0emHcPp5YI9Gjy8Cqt', 'MMsXbKcPlHvsuQ08rfgU', 'yXw4QDWG9', 'dRQ0U2hbn', 'opPUY6f0S', 'bLOIhOZHt', 'bAXoiLxSA'
Source: 4ra1Fo2Zql.exe, D1FlRoDqcSARSOZbnHB.cs	High entropy of concatenated method names: 'LH0DNpi0OT', 'wpl8fdcRadw4COXsxnuK', 'wcqgGHcR4E5UMJVgGupE', 'SvIBEVcR0tM8bs5p0Q4Q', 'P9X', 'vmethod_0', 'OSucCKDAZ1R', 'imethod_0', 'OerX3RcRW6qjVLu0VrrU', 'dhG7DXcRePJxCmdIc600'
Source: 4ra1Fo2Zql.exe, nABh0Kys1MN46ZffL5J.cs	High entropy of concatenated method names: 'AjGtDpckSwgdICKMH3ci', 'cA5XYwckqc9FTZOjVOQt', 'ulTPQBckJKmf6j91WeId', 'Hba50pckVqVcUINrpbxA', 'H7jdAxedVd', 'aZuF4BckYGZtoGOJnv0U', 'lg5ghsckwi7kWkd1NZ1W', 'u7dCkVckxr7Q6oJ9RosS', 'IXy6JLckOR53rZIX1OhW', 'tR2QAfckNSnll0dVyJCf'
Source: 4ra1Fo2Zql.exe, UqUu7p6aIXKD1Jfyfpd.cs	High entropy of concatenated method names: 'omG6nafVoJ', 'BHS6Bfoni8', 'wHe6FMXsVw', 'Dgd6pmFCp8', 'mD26f7r79N', 'McE6lS3ThH', 'faL6RlJcUM', 'kN0683phGP', 'edC6krdgt3', 'sau6b1MxUP'
Source: 4ra1Fo2Zql.exe, LgJrts62MAVfKLajc7D.cs	High entropy of concatenated method names: 'FTjc5pmK0q4', 'KHWc5fOv9YL', 'D9ac5lebFQc', 'rjAc5RQc5QP', 'lumc58aM0gn', 'apOc5kfB485', 'hRlc5bcQixZ', 'qO1AGrEADa', 'VOYc52bFKR7', 'Sf1c5mIg8ae'
Source: 4ra1Fo2Zql.exe, K4Kx3sNmFb8h7ZRAOdA.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'knJN9CK56r', 'tcqNElYWFc', 'hsQNT2CQAE', 'Dispose', 'Af3XP7cguYf9AWumsLBy', 'MO271Icg9U1aFLQYi5ua', 'fQFYM2cgEvwaTpWZSBFP', 'U855KxcgT2QgBDlCVWZs'
Source: 4ra1Fo2Zql.exe, tUhWhiFDEretVj0VSwR.cs	High entropy of concatenated method names: 'GH3F78FRrT', 'XVnFQXvaO2', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'O1rFhxv1ql', 'method_2', 'uc7'
Source: 4ra1Fo2Zql.exe, M70500G29FF1KspfaIr.cs	High entropy of concatenated method names: 'q64', 'P9X', 'iiUcCdUwcsD', 'vmethod_0', 'hPAcD5aD5Wp', 'imethod_0', 'yHKRJMcFtq8P2W8BVEgY', 'Bg0fyWcFgOCs1RWKOJsC', 'LAh40icF6GtJMUJpbUnL', 'q4xqrlcFA10ZYwr8bpGP'
Source: 4ra1Fo2Zql.exe, YJ0nwytrtfFSElJEkGn.cs	High entropy of concatenated method names: 'Eh3wu6c6U2NXq3OH0i04', 'fsRJyZc6ItU940W7BfI9', 'iROgYC8i59', 'ASsjpwc6MWdk3p6HHEbv', 'bdhie2c6PnqV6FrbVi7p', 'P3jnghc6K5bFUJEwqlAs', 'f8sAnKc63W3L8g2L6WE2', 'JQFE5Kc6nvBbLBsgyKZU', 'Y6EiaLc6BZQFVH5oY9tO', 'InpuMhc6FW7ZxuJiQ7HQ'
Source: 4ra1Fo2Zql.exe, XBqvsHCMnuXoWheSita.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'RRxcD1mn3ir', 'vnWcCcgqcIs', 'wYUONtcBPTryoXA4XPpk', 'MG5652cBKBGRKij6RI8B', 'Nd5nMXcB3VUeUGo2KNjM'
Source: 4ra1Fo2Zql.exe, KZdqMw5l3AoIJlrSqTl.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'Oc2cD7Kxfw7', 'vnWcCcgqcIs', 'V6rTBpcpSBM3GicUUf7x', 'GpBtvYcpVQ21VE8G7Dhj', 'zara7OcpH8rnoKGGo9ra'
Source: 4ra1Fo2Zql.exe, avLbHS1Pps7sMlPbrMt.cs	High entropy of concatenated method names: 'Vkr19Jl9N6', 'Wmy1EYb8jy', 'IIf1TF1Glr', 'OUd3NxcnEPfOqxscLIY3', 'z6rWVNcnTeDH6NehStYn', 'sFMiUPcnuAqBuB6nnwOQ', 'eqdDXrcn9uUEswNu8gqK', 'Fh913Ojdev', 'dyi1neItpN', 'B6N1Bo1xfE'
Source: 4ra1Fo2Zql.exe, m2qHExicItpUidZ31pB.cs	High entropy of concatenated method names: 'lyPi1ZYANh', 'q1oiCf1XUp', 'kMMiGXUIG6', 'xI53dlcfhOVvcL3VByru', 'KB1GTccfZxEagedTYhAO', 'sGt7HocfdvUJPLFx10TO', 'g0AmpQcfWPHh8p5H8VwN', 'o4gqbucfeL6FH2HfR1Xy', 's5uXT0cfL4A56oM405ZH'
Source: 4ra1Fo2Zql.exe, uXTmSC0NO2d5jpYm1pJ.cs	High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'H5J0gnOfM9', 'IUscDahP1uZ', 'h6WifOcuTMPZ0SB9depL', 'r0PZWtcu9Z7rkbhje4Wg', 'DfDIN9cuEgjBoDsQ0HnS', 'ehpEWucuqRAXdpRkmJck', 'ACfYhJcuJLBfTMj9urRR'
Source: 4ra1Fo2Zql.exe, XXDe8xIZBsdu6ciAJDW.cs	High entropy of concatenated method names: 'wBKscWJJoW', 'zArn7QcE2dnrwWJpiibw', 'AmEBQAcEkjLrG3x0KTaq', 'Fqx8ticEbe51f48CFaUt', 'LxD0AAcEmrI71ykWUT88', 'k7pIW200hS', 'kUSIe7Is3q', 'J6hILAM4Pv', 'jw0IrCiS7x', 'E5HIaoxP3K'
Source: 4ra1Fo2Zql.exe, VMIFqTiZm5Ky6nXBIYi.cs	High entropy of concatenated method names: 'P9X', 'W8rcCogNp6l', 'vmethod_0', 'imethod_0', 'MEaSN8cf3jXn6iY0LU06', 'UibaqUcfnhSukndYAQPB', 'sFFweOcfPokZxX2C4jcF', 'OVxsXycfKc1xyAOFEcMq', 'WJMS2TcfBGSTpk1O2qy6', 'TEfpiwcfFAIoBA2xDCmO'
Source: 4ra1Fo2Zql.exe, hlPwhFYkPiwtLDfVFrT.cs	High entropy of concatenated method names: 'OMtcDPW7IY7', 'Brwc5MeUBJ0', 'hKZOA0ct36efE9Iq7Ylk', 'Gt8GyCctPfryg9lvcGS8', 'lZrEO8ctKpTHVOhfdXGR', 'La44Rfctnyi2F8MuLn6G', 'NuR0rvctfCQLoi0fDuP9', 'FiDg1MctFhCRsjfqKUrg', 'mtejcjctp5Z9eQwh6vU5', 'imethod_0'
Source: 4ra1Fo2Zql.exe, t66nRMyv3aDp0Ot03wK.cs	High entropy of concatenated method names: 'iWmyCCwdCG', 'GQ3yGAnhiM', 'VLFy5ssZeC', 'efByiRF9kr', 'HGOyDbOj9w', 'PDlyy1yBoZ', 'S9hy7SSIUO', 'bZZyQaoeY1', 'kG6yhqYuG3', 'nH8yZnGKNx'
Source: 4ra1Fo2Zql.exe, BpNXecUGUR94nSRnStG.cs	High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'EgWUi9mp1U', 'vmethod_0', 'jKVUD8HYHV', 'xxScDUPKgIl', 'tIK1ZccuzbFceyii8qMg', 'NPTBTxcu6EYsdap0IcIy', 'GBkurVcuAmJYEqr3ASDH'
Source: 4ra1Fo2Zql.exe, kCPAeIE7dMhPOEPqNk.cs	High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'WswqXrbpC'
Source: 4ra1Fo2Zql.exe, xQPLDIbFPja6FvsA8Kq.cs	High entropy of concatenated method names: 'SDZbfcct7k', 'DviblE5dUF', 'Ty0bRGMZQ8', 'UuCb8OwPJ1', 'Vkubkr8Gls', 'shmbbqn3wA', 'KrTb26DBWC', 'zktbm4k5Pd', 'II2bucsCHo', 'EHab9rRUVQ'
Source: 4ra1Fo2Zql.exe, DFqLFmswRgyPgqrFBMx.cs	High entropy of concatenated method names: 'F7csY2tFEI', 'PgUsOE7g6r', 'Q8psNNATrq', 'jdCst7G1v4', 'BkEsg1oCf4', 'MC30e1cTCRJaLaWSqwJ0', 'Sg1dNFcTGkXrL8dLcUkg', 'fLTrZlcT59juKGQPe5dD', 'brvtvKcTihNd1cLJJMgx', 'f3b2TCcTDUInmcVfLUZ0'
Source: 4ra1Fo2Zql.exe, oFr4nZGe6u1tpqFoDPF.cs	High entropy of concatenated method names: 'b8yGK9SNOU', 'thDG3XJbkd', 'AUhGn9QsLt', 'Rs2ugocFTkj9fn0Lj5qw', 'cY1t2bcF9yjo8oHpZDft', 'hlCcVmcFEa2yH1CHLh0v', 'O6OJrgcFqmS21mJdjV0d', 'cuRGs0T8bi', 'KwCGX6EjMU', 'bBmocXcFmmClUfsqOTpI'
Source: 4ra1Fo2Zql.exe, suSCHg3AQdKG0D3ACY3.cs	High entropy of concatenated method names: 'Y9mnjtANun', 'PGIncdTtAE', 'kBxnvlO6tC', 'hZTn1nlxbL', 'MYHnCWDUyM', 'ktvnG4ahir', 'bw4TLEcSD6ndpntXFGNY', 'QgrsrHcSyZIMNoHcNfV8', 'dXpqdZcS7WYZLneAtmvM', 'Sk4SbKcSQL0Q7d11sxBy'
Source: 4ra1Fo2Zql.exe, F7ZonGfRprCjvdLnpSY.cs	High entropy of concatenated method names: 'Close', 'qL6', 'DV6fkeQUh6', 'I6Mfb4agPt', 'Ygsf2A4k3C', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 4ra1Fo2Zql.exe, dYobUE5XQa9s2vONC6a.cs	High entropy of concatenated method names: 'SoL5FmUSuU', 'Ib2Un0cpEoRoyLWw4fR4', 'Ddnl55cpuIi0M067uuH6', 'BVdJFAcp9grTSCCVDv9b', 'TiwBVbcpTDjnuUtknm9b', 'gnpP6Gcpqbu5fF2Qvq8h', 'E94', 'P9X', 'vmethod_0', 'srUcC04vrHO'
Source: 4ra1Fo2Zql.exe, n3Bscv4bygT47v5nT1Y.cs	High entropy of concatenated method names: 'xF74qP8ysw', 'Jk74JH1nFf', 'UWS4Svo9RO', 'MUo7Aqcm07b61keqi7b2', 'ws5XpgcmacuZ0f4uhrST', 'thgJiFcm4tYWmZgfDpQb', 'GKU4mRtxmT', 'pvv4uOLHcB', 'mTE49Bv4n7', 'TUWhS0cmdW3fUZxXYibm'
Source: 4ra1Fo2Zql.exe, G60nIvD7EnbTUJB9AfS.cs	High entropy of concatenated method names: 'iVcDhqpOZt', 'qtSDZO8NiX', 'UrYDdYgoNP', 'YsB1GNclMu3IQM3jVRMw', 'M8OkQpclPawdtC5AES4J', 'NYhq3WclskWrPg2v08h1', 'GqXxp8clXRt4SpRGKN6o', 'I4lM6PclKM4D4Zont5K9', 'CCOSrDcl34P06kT6XvtY', 'HkI7LvclnKwNyRXwItoQ'
Source: 4ra1Fo2Zql.exe, lcgjMVDK38b57didclW.cs	High entropy of concatenated method names: 'x7IDn4pBXK', 'QyvDBMoOMH', 'S5HDFv78KB', 'SQYDpKPIfF', 'FWqDfZqlfP', 'p37Dl2dc2U', 'SfSqD6clAnx9BxjsnkSp', 'LPlhVxclzZ8i4heUuQxS', 'Wuqt2pcRjtLFUMqJfny0', 'l4JXOfcRcmu1qOHJnmRV'
Source: 4ra1Fo2Zql.exe, leScgRBAiEKqteybUbS.cs	High entropy of concatenated method names: 'JHcFjC4DeD', 'oW0FcXmOmk', 'Yd7', 'TGWFvFq0g1', 'v3EF1Yeq1B', 'qFSFCKYuWI', 'IfGFG7b4Q4', 'Cc3ApicHDrcdRaavHm78', 'yHwaR0cH5fGaMPZjnd5E', 'cmb2s6cHiQcMZYwn1I4Z'
Source: 4ra1Fo2Zql.exe, MGkHTiGwWqQBJJUxvV6.cs	High entropy of concatenated method names: 'VY8Gg25yPP', 'dwvG6OS8kb', 'K6UGALgHwy', 'M30GzWJhSK', 'BmO5jbilrU', 'hNJ5chM6x7', 'WYu5v1ovOu', 'QE6T9wcp4cEtaO6Qtcb6', 'uIPP3wcprLZ8aN0L2k3U', 'XeaeFXcpaNUPUKrdWx42'
Source: 4ra1Fo2Zql.exe, LElZEBiywA8CeEoRPwZ.cs	High entropy of concatenated method names: 'l7oiQvApa3', 'MnVihFX9wN', 'i5ms3ccf0xdn9BPsQBG3', 'wERRcacfak8vk6N1T7mB', 'OQfN1scf4e73Mm2BIbgD', 'D2qkGecfURwtBcTxS1ho', 'E9G7VPcfIjnNBoRrIjQU', 'FO59PIcfo7bBlfUb6YjE', 'rijri8cfsbqfBjaVoBDt', 'pTXPyZcfXTREIZvdi7VN'
Source: 4ra1Fo2Zql.exe, CCvJFOnmi8MqYguZx3Z.cs	High entropy of concatenated method names: 'udZn9vT5qJ', 'jlgnEiPO6X', 'ChRnT98afM', 'gh7nqJ3WuC', 'lMTnJKk1lU', 'nuvnS8JjVf', 'pZHnVqu43n', 'cYqnHJVEir', 'TtEnwkqyjk', 'Y7FnxZNlIZ'
Source: 4ra1Fo2Zql.exe, dogL2scATqm5CBE3gnJ.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'ENCcDcPkcI4', 'vnWcCcgqcIs', 'Lr6Qgbc3j9rrXhaBEvwL', 'auv78nc3ctDQujKPVum4', 'ulTuGuc3vlemnNocrOyf', 'odoFhUc31pP46ndk8yHa'
Source: 4ra1Fo2Zql.exe, uJHsE8GEU6s7g1KM1q6.cs	High entropy of concatenated method names: 'MrmGVYigSG', 'TrWPCpcpyZGRucJWqeeX', 'xIONV8cpiNiavrY8XXwq', 'GDeCHgcpDOBAldeRKbic', 'AY5jaYcp77M0A9c6rjJr', 'U1J', 'P9X', 'zhOcCeEcBnE', 'cGmcCLkrS23', 'pV6cDiMXngk'
Source: 4ra1Fo2Zql.exe, gNhdDOnFZ08FxLXBCfs.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 4ra1Fo2Zql.exe, KjvT0dMs3YQguG4p87v.cs	High entropy of concatenated method names: 'ylpMM5qPkC', 'qqdMPUsJdl', 'EjkMKvdQsQ', 'lpOM353gUp', 'mKVMnpkyj8', 'Mp3eH2cqGNrV0g3DgXTh', 'z2tGGVcq56bt32Cjx5pA', 'vdm2rGcqiQFoDdQjtPNk', 'TpxEwbcqDpDSUfIdS5Z1', 'oa2UPscqyKmnCb4sqRs0'
Source: 4ra1Fo2Zql.exe, zyIMZ4K1lmP8y7jb09Q.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'QJdKGXRcpw', 'Write', 'rIwK5lmbou', 'g4hKiSDuF2', 'Flush', 'vl7'
Source: 4ra1Fo2Zql.exe, eu4Juytj8syog843X6R.cs	High entropy of concatenated method names: 'yLUtCCC8a8', 'p9btGRsa8e', 'yVFb7lc6jLpmZovYws7W', 'iZqYqrc6cFaSlC6uSNMH', 'OKmkMlc6vGUHCncAqKvA', 'tHh40pc61jWXSNJp0ooC', 'paXrYjc6Chb1iJttPLk4', 'KUPtv6sVMk', 'jybJfRcgg0Zfj5hcS3W4', 'Siwy33cg6CcDrrgwCROZ'
Source: 4ra1Fo2Zql.exe, dY24pPC495cqBg8hpMO.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'XmFcDvrRayT', 'vnWcCcgqcIs', 'UPHpXfcBUKb06vixJdu7', 'yyl0VocBIoBFdf6knp3B', 'Ah5UjHcBoYrm3lTXrMpQ', 'sZXOBDcBsJ6109QEOr5V', 'G44b6LcBXmB2nFn0UhjI'
Source: 4ra1Fo2Zql.exe, OT2fhhbTIUTxcPNvcmZ.cs	High entropy of concatenated method names: 'W36cDXVLRBc', 'XN1bJlTGJ8', 'g0DbS9HLhw', 'dK4bV0w13s', 'UvGYVDcYuOmpnWUFmB09', 'gl4aT0cY9gRSJoBwANFo', 'oW3jNucYERZsm88XnZA4', 'QacR5GcYTmi4H6pAnxwO', 'shV66mcYqEpmNcrtKu3w', 'o58blwcYJYbODoNoyxLC'
Source: 4ra1Fo2Zql.exe, DKKIfSNFCCxQDUka87n.cs	High entropy of concatenated method names: 'c9rNfXJGhS', 'zLqNlR4UcA', 'vIvNRcCXO3', 'OMoN8IXpAn', 'Dispose', 'VFDVVrcglepHk4ZOJd4a', 'k7fgITcgpEbXjZv9OeiA', 'jcTyyPcgf5IepNc3svPM', 'X6Fy6UcgR6nBQgyadIxp', 'aq9ANRcg8xAxUXxtD70u'
Source: 4ra1Fo2Zql.exe, GcbayIGlb8oSTZlMk62.cs	High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'DPScCQZ088T', 'nGbG8KfZh1', 'imethod_0', 'JgqvmucFSyWEAbWGop81', 'gcUbu2cFVTlXvtpxijfv', 'NpyYpEcFHBMXofmHq43K', 'rej3HJcFw1nasPbGgiSW'
Source: 4ra1Fo2Zql.exe, fQanusvHeXysFOfABrc.cs	High entropy of concatenated method names: 'QMN1ijTwVU', 'TVxlwqc36K0M7hrK4UYC', 'HjftWLc3Ar7rmvQaj8LO', 'B81gJwc3zHpKbAaXAQXD', 'csoVpecnjpUkhQKtSBHt', 'W99M6mc3tn7HTsfd6Kmg', 'CP0Wycc3gHH8SjmjjHuh', 'D3UbJ9cncYWpe0hjghLi', 'iSXuYXcnvhgXt3WuvMjK', 'BoP1jqSi1v'
Source: 4ra1Fo2Zql.exe, Pu3DSwC2RD7KEiL4vfo.cs	High entropy of concatenated method names: 'GXVC647Cuu', 'SDJE2ecFyHJfbTNcG4sd', 'WttO5JcF7KwtEVQdj3jC', 'bxmQcwcFihAf2rh7FuTJ', 'CsfR4TcFDYwLvdtoLCsM', 'rKfSxGcFd9iZTlQFsVJ1', 'aMLDX0cFh2EiM4NjARRs', 'YWOD0RcFZtX4FybGn9L6', 'oqP2njcFWSusulSfCymm', 'r7GG5q0gv5'
Source: 4ra1Fo2Zql.exe, TJhJRrlH1sgNhHgKGUf.cs	High entropy of concatenated method names: 'iX3aHLcxetRwaQ4NtLAX', 'bP4PeBcxLU7dUGaCFYIj', 'wns0gocxrMAaGAhfViMy', 'tL4lxwmbHn', 'Mh9', 'method_0', 'cWRlYYPAox', 'iTUlOB38RA', 'sJ3lNtuZPT', 'u9Ultl3tYr'
Source: 4ra1Fo2Zql.exe, iXuyu34YOBnWV6rGi7U.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'oX8cDZ3EnFt', 'ChqcCqi2EH7', 'GiPQNGcm3AXAqYpVXRNg', 'nTrEXncmneWdfuNNirkb', 'k3MWV9cmBBsM83yofyZY', 'OHK6PYcmFiUygrtoVKiX', 'z8mglgcmp79VQdqMtZkp'
Source: 4ra1Fo2Zql.exe, hgWe380VnaRJmLpIeVr.cs	High entropy of concatenated method names: 'wq9cDLEuKKJ', 'GYi0w2HSb5', 'V9IcDrmyrDW', 'I6NKxRcu8rEAQpWRoX6I', 'fFLEKFcukJqqsCu6xGRk', 'smfAWYcul7LtxX8uw8VL', 'NAek3CcuRgoHvmQ9rPwG', 'TUsddNcubdvGRPpXDb5M', 'aZpesQcu24MonfdogW2K', 'vcXxDAcumIWLhHUjmAqL'
Source: 4ra1Fo2Zql.exe, Nx7HEtWQNP1A41ZuSaw.cs	High entropy of concatenated method names: 'Dispose', 'IUZWZ5evf7', 'paQWdpGF3Y', 'U5MWWQJonV', 'b1NnO4cb7dYVGLkJwiXI', 'GmLmNbcbQNcyJY0WJWJp', 'ziu3t8cbhl5qOHVF2KDx', 'TrgHSvcbZTf4f8Osm6FP', 'zeeiIBcbda1sFVV4YHZJ'
Source: 4ra1Fo2Zql.exe, Qon7Cv3x2nEwjN7u77h.cs	High entropy of concatenated method names: 'XkV3OrRBsm', 'OSS3NTra2J', 'LNH3t3OJkG', 'GEC3gaqtF6', 'sVR36fRRkj', 'nrwuftcSvUmF3lswSYBF', 'dtGVf7cSjOm5OAI7SjrA', 'THxVGncScDvl8B9Uqy1L', 'gTvUG8cS1fUallXMFFNh', 'd8kwg6cSCIYvfGGtpwMt'
Source: 4ra1Fo2Zql.exe, DB9M1HydFgb7nonCfFL.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'OofKgucREhv9J3wt4878', 'zT4MFrcRT76uBt4SVKm5', 'Fhj4O8cRqjvgcM369q6X', 'gdqyeumpF3'
Source: 4ra1Fo2Zql.exe, VPXbnP0djxnfTVe42Tm.cs	High entropy of concatenated method names: 'CTP00GRtFj', 'VpIwBWcu1Zrytnw7cKPa', 'RjwRQucuCs8FtjKy9QeQ', 'QyvG1ucucVr7I7NaVnDf', 'DNeFTqcuvoj1wAESO2y4', 'e26ENZcuGY7nTHmlye47', 'UAi0egA9SF', 'd2BKVLcmtEbHBwYsj0pb', 'FBPqATcmOwdpe8Lflf9D', 'RL45ErcmNZsrihK2vqBA'
Source: 4ra1Fo2Zql.exe, aVe74o1HUFWPtYIyrYU.cs	High entropy of concatenated method names: 'C23C1qPgYf', 'bhSCCuFmUD', 'QCBCGCklN7', 'JdV4rMcB5LCskngOqe8S', 'E6pTpBcBiE7RC7IffyBp', 'cTBxNicBCUdnEXy1mUgg', 'CrEnMQcBGqRUr2iGbUnn', 'sYACQEQA3Z', 'qt5FbLcBQixWBuWex1Vw', 'a74YJ0cBy986HBqNfB0L'
Source: 4ra1Fo2Zql.exe, IV9cyv2FFYTATxIxBVw.cs	High entropy of concatenated method names: 'KW62fPltq3', 'HlO2lfHeXO', 'LJa2RQZRci', 'M4i28OP73l', 'lxj2krDQ71', 'jFL2bp0Jfj', 'KpF22e23g9', 'qZb2mbn97G', 'wpu2uGgihJ', 'X2i29bbE74'
Source: 4ra1Fo2Zql.exe, HUrRKiDIw6cvRFMn0mo.cs	High entropy of concatenated method names: 'psqDsGXrwv', 'c5iv82clJRiDt2YT0oc9', 'g6xDiGclSUSJo9BdBA9R', 'Ge6iBYclVCoaZJ40jxxh', 'bFdP82clHTgbWI8LLoiq', 'AZINJuclwMJvWQAA54Mr', 'OO4kgYclTb9e3Zcl5Gqm', 'kv98puclqmD4nukQs5k4', 'iPGyQVclxtSW8qVZ9iDg'
Source: 4ra1Fo2Zql.exe, yhMBD4s7wNk7qAsjsr9.cs	High entropy of concatenated method names: 'hgysFExdvU', 'kipshBl2x0', 'AbHsZUXL8L', 'cB5sdUO3NM', 'VvHsWBr1MC', 'mLrsewh37m', 'OmNsLqEVqN', 'eeTsrGXv0g', 'sD1saKL0Jl', 'B9ts4ZG1V2'
Source: 4ra1Fo2Zql.exe, YSnMSvPQ1Ormf4YLlJ8.cs	High entropy of concatenated method names: 'UGrPZdWIlT', 'k9JPdGmR6Y', 'cm3PWGGLKF', 'tYtPef8wjm', 'NYnPLIyX2F', 'hdDl96cqMZAWjF7NfOFx', 'yAU8yfcqs2aNHgteotZF', 'd3B4p2cqXSfiu2X4NBYE', 'VoMofKcqPyI4gGtZCBjO', 'bBBxQlcqKIDXD9PlEawa'
Source: 4ra1Fo2Zql.exe, etFV6Q8RsMPCOytDGjt.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'FOMflhcxqLXS7Qhwfqe7', 'uVc5IxcxEYk0kJW4GNx7', 'IpEgUScxTP5pO7EiNX2t'
Source: 4ra1Fo2Zql.exe, tUEkmFiuw8NuO4CGsZ8.cs	High entropy of concatenated method names: 'EItiNZnAG4', 'ykoitiAEZs', 'QFgU9MclhsYYTH8fk5Sp', 'hcyqxBcl7ggyQiw8iTI9', 'WHIgH0clQm7ZFFENLO3P', 'L7WUqwclZyEiFgtGP1Hu', 'AvPiE5YN3E', 'DD4iTY0TLF', 'wyXiq87WPy', 'TsDiJLTKIf'
Source: 4ra1Fo2Zql.exe, TR8Tju5ug4lftAofk1l.cs	High entropy of concatenated method names: 'R5Q5NA9JYt', 'CPb5tlT6XV', 'RQI5gNj99V', 'jD566icfykUmGTdvmnFA', 'bIJPDucf7A5qI1o0h7F5', 'mbY0Fqcfi8HAqSRjqkUv', 'CsBAgecfDndY9obHYUsR', 'o0G5E2L24f', 'O6g5TA09TH', 'gac5q7QflY'
Source: 4ra1Fo2Zql.exe, sCysD0GysTxMGnuL2OO.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'RZNcDGGny9k', 'vnWcCcgqcIs', 'jg8bFFcF0Iwwx2Ccin00', 'IAaFM6cFU27yHW2gulhu', 'sFXwANcFINTNqA3dEvag', 'l5H0oMcFoi5ioVTMIZZo'
Source: 4ra1Fo2Zql.exe, nDbLvo3qVLKVJF7sP1m.cs	High entropy of concatenated method names: 'pGZ3SkMnhw', 'Ise3VnKgj9', 'q8n3HDL2k7', 'yFHfgjcJNcDIymf9fpcW', 'j2UJi3cJYXKkQKI6FgPs', 'XSb8OUcJOg6MxgXAtm0b', 'xJj7umcJteC1YhauhqqQ', 'hEiV5FcJghVS2cgklb29', 'sTsexFcJ6clQISHo9k86', 'MA4iSecJARrFTqtccJ3r'
Source: 4ra1Fo2Zql.exe, y2cQVhbyso8ZBUkcRvA.cs	High entropy of concatenated method names: 'FgKbXwtqJU', 'trFGJPcY3bpmOwHJA5Ao', 'D9SFPUcYnCBEjnrkBIR4', 'hSwVuccYPVa7d5eaxYWZ', 'wG5vhmcYK2jJNLsqepfl', 'PhwHpDcYB1NQBKRowYCm', 'IPy', 'method_0', 'method_1', 'method_2'
Source: 4ra1Fo2Zql.exe, Hi2iCjPFwOK39Y9KPHC.cs	High entropy of concatenated method names: 'method_0', 'jJIPfPp4yl', 'eQBPlqwxwg', 'cvjPRreb8A', 'OWDP8IGZsl', 'G7kPkVUY4F', 'Ot5Pb0OtiT', 'wkjK0XcqkTZIU7I6tZYK', 'PuW6JncqRJWU2ULcaefh', 'qUgY6Jcq829jaO7YkxmM'
Source: 4ra1Fo2Zql.exe, vOSyaTvGSDci05XbLCs.cs	High entropy of concatenated method names: 'FfTvieBunt', 'OaRvDmy10u', 'qWAvync7nu', 'Hvfv7NlMmb', 'xXM5FMc3WSVPLIi2b1jF', 'jcnBdnc3ZAfnXQenQcey', 'hjC7aLc3dZLrx7Bx3sXa', 'OPoOBoc3eGrZIsbRu43B', 'FC1qI9c3LtlP4QNZtcAY', 'mMDcgvc3riCek25bfA6V'
Source: 4ra1Fo2Zql.exe, KG8EEGpUc9XH9hEnkVj.cs	High entropy of concatenated method names: 'Fi1fds1NWo', 'N5eMsmcwvPZb7YVXXwOe', 'mcADgqcw1ddyWnmgCZ4o', 'kt5', 'uUIpoYuMgx', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: 4ra1Fo2Zql.exe, FkLS7gDLVM8h3jrb8Jh.cs	High entropy of concatenated method names: 'Ga1D0C5FLK', 'UiH0FOcl9fcl86h6l18A', 'pqS4Zgclm4GihxYYRC72', 'QiWnUIcluy20ZJqha4iv', 'vQqDaSg7UD', 'TbjUUkclR7anoTD1prwG', 'fHIoqBcl8LpvYuLNwSUD', 'CwOgvxclkTPvRti6pd2c', 'AmsDEMclfY7Id1DUMQdi', 'ALG8VbclldV1yExKXPpt'
Source: 4ra1Fo2Zql.exe, wnVArrWogH7KjABKws0.cs	High entropy of concatenated method names: 'wNd4ZUfLYp', 'e3P4ds6WGo', 'vQjqw0c2OhGRhLtFYJQA', 'sBVBMjc2x8mubneffZIu', 'fFVZCqc2YLgRvcU9vRel', 'tBhwmwc2Nf4TMYTLifPk', 'MRf44BhLgY', 'fnGCTPc2gvYPrPFoKNf2', 'M2mdX7c26wWJSn3kHbiG', 'YZkaJZc2AXOhWgwtP3XV'
Source: 4ra1Fo2Zql.exe, XrgwotBTm4DxLoN6ZYc.cs	High entropy of concatenated method names: 'vVQBJaLQHB', 'DF1BSLqiu1', 'iXOBVBjpVX', 'qKwBH8AqjC', 'KSiBwRKKFw', 'N5iNiQcVtFJG68Z1oPhT', 'xyGU8WcVgbIQJDEaRfjW', 'wbiXgncV6XGL7Bl25ID1', 'iLudcYcVOUy51wDRfCZH', 'XivmticVNMV1GV29jUs9'
Source: 4ra1Fo2Zql.exe, UcNwSr0ETGRuQRnTxSt.cs	High entropy of concatenated method names: 'iGV0qqHH4x', 'oKV0JdSsAg', 'O130SbJ4VT', 'NoQZUWcun58loggP1feT', 'fSQPGScuKr2illI3LRYb', 'LObjWGcu3I34wwpV33aF', 'Rt7qJLcuBVWXQxuNjbAO', 'Ys6GyPcuF53EhO72R6wo', 'g2EALIcupLoGi64px8Ed'
Source: 4ra1Fo2Zql.exe, vMm4SAXEFg3QQNHt6xw.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'Mh4XqT4DCI', 'oWkXJBLx8q', 'Dispose', 'D31', 'wNK'
Source: 4ra1Fo2Zql.exe, QcIWbXfHqXy4gM2THdQ.cs	High entropy of concatenated method names: 'qrmfxjhNBP', 'k6r', 'ueK', 'QH3', 'GsnfYctrJq', 'Flush', 'aGUfOpaF4T', 'vuBfNF9HP1', 'Write', 'yYKfttmARc'
Source: 4ra1Fo2Zql.exe, yKLFTS2tKygjw4mmtKv.cs	High entropy of concatenated method names: 'yWl26oVfAb', 'Iuj2AEOcdl', 'Clu2zAkI2K', 'UPdmjkvvPx', 'sNLmcxvVc4', 'CQJmvQlZUt', 'Nhvm1gep81', 'rvwmCbrnaH', 'acGmGPl8Uy', 'ckim5F1vcb'
Source: 4ra1Fo2Zql.exe, eyoEW5UcN4RK4Gyefrx.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'GtycD4vw5jk', 'PDIcD0lge8N', 'WrGHPQcuwKEZvvUdJjh8', 'KLTaHccuxavdDlNIRMaR', 'JXnN7ncuYdmBv6m6Zcgg', 'UqFbaNcuO8eUALDaT4xI', 'ix0a8GcuNCRVH4G9MBA5', 'KOilHocutmn2h0eYTW5D'
Source: 4ra1Fo2Zql.exe, m6OFPnDm24BVmsEjggm.cs	High entropy of concatenated method names: 'P9X', 'vUrcDhfCWe1', 'imethod_0', 'hqGD9axyHg', 'DhP6qYcRiFHTOQxsRjIS', 'oOFPqpcRD3uZyPqxwB7e', 'cyDxXPcRyE2BB1GA1t0r', 'SJUrMXcR7AcTv9lK32lN', 'eXvXjMcRQJ5aIK4i43J8'
Source: 4ra1Fo2Zql.exe, yjf4BF43BlrZo9v9RXe.cs	High entropy of concatenated method names: 'WJ848o4Ke7', 'wXFQYMcmQOWJNbLp4J6P', 'J9shwncmy0vT3mpCcvtV', 'FUq118cm7uNitjusc3ke', 'B4Ngp5cmhgHyq3u351b6', 'gJK4BkONSr', 'mOH4FAcQgp', 'kUA4p6Ii2b', 'GNe7l8cmGZpm7vuSoWpk', 'L8mIhdcm5LO2NQrTJ6Mq'
Source: 4ra1Fo2Zql.exe, t08FVnvFBoPDGZMgM8T.cs	High entropy of concatenated method names: 'I1ZvuExKeI', 'nh9v98EVS5', 'KqqKZ3c38qjKKCABTk8s', 'J654LFc3kRx7mWGsgEVL', 'wA7vJ8T36J', 'f81dWrc3u5u5iiARXe5G', 'AvSCDjc39BDDTPN0Jq7L', 'SE5CEqc32HohDy1hc1Xc', 'NDFr7vc3mZbLpUlw3ngs', 'jk5klWc3EfovCUTPy6tH'
Source: 4ra1Fo2Zql.exe, d1UH2ei4FhydddUy7fo.cs	High entropy of concatenated method names: 'AXRi3bPESM', 'MfomDQcfJhUpaxBxbA4E', 'my2RJdcfSexVt6wS74a6', 'mrFioJcfTkllGdVrU9OR', 'dHSVp3cfqugyfRROhkwm', 'wsuC8wcfVxO4kT5vki9c', 'YPexflcfH642ey3du4RV', 'udSiUIrJiR', 'Xp1iIjb3Tu', 'Al6ior499S'
Source: 4ra1Fo2Zql.exe, VYVXbHUesxlnOWEIBWV.cs	High entropy of concatenated method names: 'n9saE3c9BYr8w7v6XOar', 'Q3KV78c9FsUQBHEaj3En', 'ewxoMpc9pbZOcS9j9Vkw', 'ReEyatc93TLReKwn9LYU', 'gDeqCMc9niNhTUhviG4X', 'method_0', 'method_1', 'kryUrIYEL9', 'yGoUaXi60L', 'PBBU4iMZj1'
Source: 4ra1Fo2Zql.exe, DDFQKBFg5J9JxUEKt0v.cs	High entropy of concatenated method names: 'C5rFAoEwjg', 'bsIFzpeOut', 'AUgpj5ZqlP', 'i9Ppc4XOwj', 'hhZpv4MmOY', 'MG3p17aY9T', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 4ra1Fo2Zql.exe, GGkOJOz9cBhq6YIyTj.cs	High entropy of concatenated method names: 'RFpcckVdhe', 'L1Fc129e92', 'MJAcCDCPlC', 'WDUcGDBein', 'WiSc5GRQck', 'K4ociM5yXV', 'Hjgcyc8xsb', 'R7clsucKixPxAoJZZCbH', 'jnkvoTcKDMexp7vNsoAJ', 'qmKBWDcKyG38srF9unDn'
Source: 4ra1Fo2Zql.exe, M1aS8QKuM4yePZFygnv.cs	High entropy of concatenated method names: 'U3TK6hqSp1', 'V3oKzmGBLS', 'ttGKEpZZMs', 'emeKT22FmE', 'RYJKq8Erac', 'O8nKJmMM46', 'HFqKS0s5WR', 'TjPKVZZrJk', 'L0uKHnmuFA', 'EVyKwl4p22'
Source: 4ra1Fo2Zql.exe, bVjfStMY3rChacMXOBv.cs	High entropy of concatenated method names: 'tfmMNwj4Gu', 'yLlMtNrxkb', 'rGXMghWYdy', 'gG1oxJcq4Phu9vi0bly7', 'upLj6McqrBNgWbC8pPEg', 'OG6RE4cqaF60viQXs5V9', 'A5HI7Dcq073xmHkqWE83', 'sfOYoWcqU7H0fYfSJ1Pi', 'no4UNUcqIUtVTAQbDBJT'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops PE files with benign system names

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe

Drops PE files to the user directory

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\Windows Media Player\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\RuntimeBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\RuntimeBroker.exe

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File created: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File created: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

File created: C:\Users\user\RuntimeBroker.exe

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "GrVEPTmsoNTbYG" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\google\GrVEPTmsoNTbY.exe'" /f

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run csrss	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ra1Fo2Zql	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrVEPTmsoNTbY	Jump to behavior

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\RuntimeBroker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1A7E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Memory allocated: 1B350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 2240000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1A450000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Memory allocated: 1AFD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 34E0000 memory reserve \| memory write watch
Source: C:\Users\user\RuntimeBroker.exe	Memory allocated: 1B4E0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1A8A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xxMkqOtN.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sTRlxExW.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CAgBdTQY.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\myawJPbK.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fuHfGerv.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gwaXxxDZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MjzRNvWG.log	Jump to dropped file
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cPGganVc.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VTXhBlNT.log	Jump to dropped file
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VLoPWCmN.log	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 5348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 1864	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\RuntimeBroker.exe TID: 7604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\RuntimeBroker.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 7768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe TID: 8124	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: 4ra1Fo2Zql.exe, 00000000.00000002.2076580924.000000001B759000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 4ra1Fo2Zql.exe, 00000000.00000002.2079535829.000000001B7A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `1\|pDn-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2192322493.000000001283D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 0000002C.00000002.2237357810.00000175DBE59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug
Source: C:\Users\user\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\user\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\q4lxag2s\q4lxag2s.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\00tp5zly\00tp5zly.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\IZdub348jc.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2144.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFABAA3A3EFF44E7388BEDB3353C25726.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES22AB.tmp" "c:\Windows\System32\CSC1FF918B0E6FF4E65A25AACD427A2AFF8.TMP"	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\U9jP4iZUUm.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe "C:\Program Files (x86)\msecache\OfficeKMS\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe	Queries volume information: C:\Users\user\Desktop\4ra1Fo2Zql.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Users\user\RuntimeBroker.exe	Queries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\RuntimeBroker.exe	Queries volume information: C:\Users\user\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe	Queries volume information: C:\Program Files\Windows Portable Devices\GrVEPTmsoNTbY.exe VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe	Queries volume information: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe VolumeInformation

Source: C:\Users\user\Desktop\4ra1Fo2Zql.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: GrVEPTmsoNTbY.exe, 0000000A.00000002.2197171062.000000001B0B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\schtasks.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 00000000.00000002.2064515197.00000000126E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4ra1Fo2Zql.exe PID: 5688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GrVEPTmsoNTbY.exe PID: 7716, type: MEMORYSTR

Source: Yara match	File source: 4ra1Fo2Zql.exe, type: SAMPLE
Source: Yara match	File source: 0.0.4ra1Fo2Zql.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1995307367.0000000000032000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\MSECache\OfficeKMS\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\GrVEPTmsoNTbY.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\RuntimeBroker.exe, type: DROPPED