Windows Analysis Report
yQrCGtNgsf.exe

Overview

General Information

Sample name: yQrCGtNgsf.exe
renamed because original name is a hash value
Original sample name: 330a09824e901f7c2fb65be086df1493.exe
Analysis ID: 1521033
MD5: 330a09824e901f7c2fb65be086df1493
SHA1: 236a6a080f1ea340343bedab226a88b3b92ea9cf
SHA256: 6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: yQrCGtNgsf.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\GJcAmyRG.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\NkPigQpK.log Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\FTTrxXjd.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\KRjbfmWU.log Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat Avira: detection malicious, Label: BAT/Delbat.C
Found malware configuration
Source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"C2 url": "http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads", "MUTEX": "DCR_MUTEX-RxLHfqluj2OpsLVcTfkV", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
Multi AV Scanner detection for domain / URL
Source: 115583cm.n9shteam2.top Virustotal: Detection: 13% Perma Link
Source: http://115583cm.n9shteam2.top Virustotal: Detection: 13% Perma Link
Source: http://115583cm.n9shteam2.top/ Virustotal: Detection: 13% Perma Link
Source: http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Virustotal: Detection: 61% Perma Link
Source: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe ReversingLabs: Detection: 73%
Source: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe Virustotal: Detection: 61% Perma Link
Source: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe ReversingLabs: Detection: 73%
Source: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe Virustotal: Detection: 61% Perma Link
Source: C:\Recovery\JPOyDhPFIytu.exe ReversingLabs: Detection: 73%
Source: C:\Recovery\JPOyDhPFIytu.exe Virustotal: Detection: 61% Perma Link
Source: C:\Users\user\Desktop\BDesMBdT.log Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\Desktop\FTTrxXjd.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\FTTrxXjd.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\GJcAmyRG.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\GJcAmyRG.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\HPxsKDSZ.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\HPxsKDSZ.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\IjLZavdG.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\IjLZavdG.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\KRjbfmWU.log Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\Desktop\KZthgyKJ.log Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\Desktop\LCrhcYww.log Virustotal: Detection: 10% Perma Link
Source: C:\Users\user\Desktop\MAAYLQkP.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\MAAYLQkP.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\NkPigQpK.log Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\Desktop\OzAXPueG.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\OzAXPueG.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\RdNoqiHi.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\RdNoqiHi.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\RfcHRSFf.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\RfcHRSFf.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\SKvXgoIi.log Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\Desktop\TADrPPcC.log ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\TADrPPcC.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\TLlpvaAw.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TLlpvaAw.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\TzzXjEkC.log ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TzzXjEkC.log Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\Desktop\UkLxLBCd.log Virustotal: Detection: 40% Perma Link
Multi AV Scanner detection for submitted file
Source: yQrCGtNgsf.exe ReversingLabs: Detection: 73%
Source: yQrCGtNgsf.exe Virustotal: Detection: 61% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BDesMBdT.log Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GJcAmyRG.log Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LCrhcYww.log Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KZthgyKJ.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FTTrxXjd.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: yQrCGtNgsf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: yQrCGtNgsf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Uninstall Information\599871f56ea49f Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Adobe\Acrobat DC\599871f56ea49f Jump to behavior
Source: yQrCGtNgsf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdbX7@ source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B4BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB0E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t\JPOyDhPFIytu.PDBd source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0. C089IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7 source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49722 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49710 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49714 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49717 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49715 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49724 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49718 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49719 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49723 -> 37.44.238.250:80
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49713 -> 37.44.238.250:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.44.238.250 37.44.238.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 115583cm.n9shteam2.top
Source: unknown HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:24:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:24:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.000000000316C000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003719000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.0000000003379000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.0000000003487000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000003113000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://115583cm.n9shteam2.top
Source: JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://115583cm.n9shteam2.top/
Source: JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1825174326.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2191980929.0000000001057000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php
Source: yQrCGtNgsf.exe, 00000000.00000002.1532044343.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Creates files inside the system directory
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Windows\BitLockerDiscoveryVolumeContents\599871f56ea49f Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B3F0D48 0_2_00007FFB4B3F0D48
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B3F0E43 0_2_00007FFB4B3F0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 7_2_00007FFB4B3E0D48 7_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 7_2_00007FFB4B3E0E43 7_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 7_2_00007FFB4B7D8910 7_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3E0D48 13_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3E0E43 13_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B411525 13_2_00007FFB4B411525
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B41D988 13_2_00007FFB4B41D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B41CF12 13_2_00007FFB4B41CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F08B6 13_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F03C5 13_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F0ECD 13_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F14EA 13_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F04FA 13_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F04D3 13_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B7D8910 13_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 18_2_00007FFB4B3D0D48 18_2_00007FFB4B3D0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 18_2_00007FFB4B3D0E43 18_2_00007FFB4B3D0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 18_2_00007FFB4B7C8910 18_2_00007FFB4B7C8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 25_2_00007FFB4B410D48 25_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 25_2_00007FFB4B410E43 25_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 25_2_00007FFB4B808910 25_2_00007FFB4B808910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F08B6 30_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F03C5 30_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F0ECD 30_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F14EA 30_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F04FA 30_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F04D3 30_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3E0D48 30_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3E0E43 30_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B7D8910 30_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B411525 35_2_00007FFB4B411525
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B41D988 35_2_00007FFB4B41D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B41CF12 35_2_00007FFB4B41CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F08B6 35_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F03C5 35_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F0ECD 35_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F14EA 35_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F04FA 35_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F04D3 35_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3E0D48 35_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3E0E43 35_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B7D8910 35_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B3F0D48 40_2_00007FFB4B3F0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B3F0E43 40_2_00007FFB4B3F0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4008B6 40_2_00007FFB4B4008B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4003C5 40_2_00007FFB4B4003C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B400ECD 40_2_00007FFB4B400ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4014EA 40_2_00007FFB4B4014EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4004FA 40_2_00007FFB4B4004FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4004D3 40_2_00007FFB4B4004D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B7E8910 40_2_00007FFB4B7E8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B410D48 45_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B410E43 45_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4412EA 45_2_00007FFB4B4412EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B44D988 45_2_00007FFB4B44D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B44CF12 45_2_00007FFB4B44CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B441538 45_2_00007FFB4B441538
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4208B6 45_2_00007FFB4B4208B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4203C5 45_2_00007FFB4B4203C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B420ECD 45_2_00007FFB4B420ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4204FA 45_2_00007FFB4B4204FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4214EA 45_2_00007FFB4B4214EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4204D3 45_2_00007FFB4B4204D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B808910 45_2_00007FFB4B808910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4412EA 51_2_00007FFB4B4412EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B44D988 51_2_00007FFB4B44D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B44CF12 51_2_00007FFB4B44CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B441538 51_2_00007FFB4B441538
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4208B6 51_2_00007FFB4B4208B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4203C5 51_2_00007FFB4B4203C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B420ECD 51_2_00007FFB4B420ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4204FA 51_2_00007FFB4B4204FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4214EA 51_2_00007FFB4B4214EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B4204D3 51_2_00007FFB4B4204D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B410D48 51_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B410E43 51_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 51_2_00007FFB4B808910 51_2_00007FFB4B808910
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\BDesMBdT.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
Sample file is different than original file name gathered from version info
Source: yQrCGtNgsf.exe, 00000000.00000000.1438001083.0000000000446000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe, 00000000.00000002.1537488842.000000001D9F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe, 00000000.00000002.1537488842.000000001D9F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yQrCGtNgsf.exe
Uses 32bit PE files
Source: yQrCGtNgsf.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: yQrCGtNgsf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe1.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe2.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, 00000000.00000002.1531069647.000000000081C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBP
Source: classification engine Classification label: mal100.troj.evad.winEXE@89/88@1/1
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\TzzXjEkC.log Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-RxLHfqluj2OpsLVcTfkV
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\AppData\Local\Temp\5mIZs8oYbs Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"
Source: yQrCGtNgsf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yQrCGtNgsf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yQrCGtNgsf.exe ReversingLabs: Detection: 73%
Source: yQrCGtNgsf.exe Virustotal: Detection: 61%
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File read: C:\Users\user\Desktop\yQrCGtNgsf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yQrCGtNgsf.exe "C:\Users\user\Desktop\yQrCGtNgsf.exe"
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Uninstall Information\599871f56ea49f Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Directory created: C:\Program Files\Adobe\Acrobat DC\599871f56ea49f Jump to behavior
Source: yQrCGtNgsf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: yQrCGtNgsf.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: yQrCGtNgsf.exe Static file information: File size 1912832 > 1048576
Source: yQrCGtNgsf.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d2800
Source: yQrCGtNgsf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdbX7@ source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B4BC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB0E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t\JPOyDhPFIytu.PDBd source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0. C089IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7 source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs .Net Code: Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777245)),Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777259))})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B3F00BD pushad ; iretd 0_2_00007FFB4B3F00C1
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B7EC7CA push esp; ret 0_2_00007FFB4B7EC7CB
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B7E6301 push eax; ret 0_2_00007FFB4B7E630D
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B7EC9C9 push edx; ret 0_2_00007FFB4B7EC9CA
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B7EC94D push ebx; ret 0_2_00007FFB4B7EC94F
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Code function: 0_2_00007FFB4B7E78EA push ds; ret 0_2_00007FFB4B7E78F0
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 7_2_00007FFB4B7D6301 push eax; ret 7_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B4227A6 push FFFFFFE8h; retf 13_2_00007FFB4B4227C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B4435A8 push eax; retf 13_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B3F6902 push es; ret 13_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B7D6301 push eax; ret 13_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 18_2_00007FFB4B7C6301 push eax; ret 18_2_00007FFB4B7C630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 25_2_00007FFB4B4100BD pushad ; iretd 25_2_00007FFB4B4100C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 25_2_00007FFB4B806306 push eax; ret 25_2_00007FFB4B80630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B4435A8 push eax; retf 30_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3F6902 push es; ret 30_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3E01CD pushad ; ret 30_2_00007FFB4B3E0286
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B3E00BD pushad ; iretd 30_2_00007FFB4B3E00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 30_2_00007FFB4B7D6306 push eax; ret 30_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B4435A8 push eax; retf 35_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B4227A6 push FFFFFFE8h; retf 35_2_00007FFB4B4227C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3F6902 push es; ret 35_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3E01CD pushad ; ret 35_2_00007FFB4B3E0286
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B3E00BD pushad ; iretd 35_2_00007FFB4B3E00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 35_2_00007FFB4B7D6301 push eax; ret 35_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B3F00BD pushad ; iretd 40_2_00007FFB4B3F00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B406902 push es; ret 40_2_00007FFB4B406907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B4535A8 push eax; retf 40_2_00007FFB4B4535A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 40_2_00007FFB4B7E6306 push eax; ret 40_2_00007FFB4B7E630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4735A8 push eax; retf 45_2_00007FFB4B4735A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 45_2_00007FFB4B4100BD pushad ; iretd 45_2_00007FFB4B4100C1
Source: yQrCGtNgsf.exe Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe.0.dr Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe0.0.dr Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe1.0.dr Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe2.0.dr Static PE information: section name: .text entropy: 7.539307714759452
Source: yQrCGtNgsf.exe, DvbPX8YLvWuo51oXHMM.cs High entropy of concatenated method names: 'jW2YyIHHoH', 'ukkYEJ2FO5', 'LPXnF64y7Q40qGD4DlBT', 'im6q8a4yQDiRjPVrhFv2', 'lNAFKr4yxg5QVhJsOcwE', 'YcJctt4ygyImh3PCy7mP', 'q06U9V4yRNWyxt3t1sbD', 'OCUiXP4yARI05efMfl2s', 'dZK0hs4ySNJQLkBlff6I', 'eElPtC4yJoIKZsF2FVTV'
Source: yQrCGtNgsf.exe, MH0HM5kcu7qqO4n4kGv.cs High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'BIw4ve7LKnl', 'iA44k4PU8kY', 'XKJabQ4DVg9qL6oNf5Ma', 'W7Tukb4DFgH9mBgb5l8e', 'tGgVOR4DO4W2AKwBxGOb'
Source: yQrCGtNgsf.exe, psAF1K8KiVi3xSxBxKP.cs High entropy of concatenated method names: 'NmL8kWmBus', 'un88mfrS65', 'PQ28MqTKOY', 'TLI8YnYuUF', 'BnY8v74XiG', 'QDo880jEnK', 'See8HhKQqg', 'E0u8bn81TG', 'nUj834oGYq', 'mnc8nJ6qIy'
Source: yQrCGtNgsf.exe, JbuyEAm0jJifc0CIZAk.cs High entropy of concatenated method names: 'tu5mrZITyr', 'nT2mT1U0Ud', 'vlumW9pOnv', 'cmxkZJ4LEGq2GoYZiIwy', 'wSJ51j4L6SU3SHZVf3ts', 'WSVnLM4LjHexbyWkuB2K', 'vbaYnp4LygsUoB0BmymR', 'SnFmF0IQ3P', 'G3VmOJkPbA', 'nVvsoH4LDoaP2KSPo0A7'
Source: yQrCGtNgsf.exe, WYWsmUWxbqHEMATixYU.cs High entropy of concatenated method names: 'sd7Wg2kTJI', 'CHgWRucbLC', 'pTOWAyULhd', 'm1NWS4dw9r', 'KFvWJTohU1', 'NajWPyg5Vm', 'Pj5WuYQCFd', 'Jj0WtliCXI', 'xJlW5PyXH2', 'WnDWB8NPgp'
Source: yQrCGtNgsf.exe, hqCa1qvHfFepx5Os6To.cs High entropy of concatenated method names: 'cpLv35cYgA', 'iJcvnj7H8l', 'RuwvqCjxod', 'py5GQj4E3oyXfV3Uao0D', 'JIT2iG4EHYn0A2kObY95', 'NKnQVT4Eb400OhTsIrwt', 'Ja5Krg4EnjrSNI9fL9ia', 'yS5NiS4EqoZBvajUdUIh', 'tkp0WX4E1NM7nL1Jc26K', 'dEXWq04E04VgtIE5x15p'
Source: yQrCGtNgsf.exe, sUHFAkha5jNW62KqDCp.cs High entropy of concatenated method names: 'XkR4vC97yI0', 'Q9U4McnM9hy', 'r7A4J04iz2D4mLMvFEsV', 'Ijma9d4iZUf9a64tE1Gd', 'R69GEm4iIb6koTqUp66K', 'IJYloZ4fXTRIse9QQMjf', 'nS5jXC4fkMbNKQt42XXu', 'qeVeiO4fKQTuyM5U4ggw', 'elnI5S4fe22e1eDQHjTP', 'OLIyuV4fm9NR0AJdIAPu'
Source: yQrCGtNgsf.exe, Dljj3gvSJYDfwGaQfJP.cs High entropy of concatenated method names: 'nxeviY7GKO', 'JqAB484EzMY5xGDEfnh7', 'zy4Cur4EZVpgCxrlxfeh', 'eH5PgP4EICkF9yY4k1FW', 's3xZDJ46X1HeLgtpEb2u', 'qLrUmc464hW9At83bE3b', 'P9X', 'vmethod_0', 'pJJ4krRGc3h', 'imethod_0'
Source: yQrCGtNgsf.exe, dnOWXmMO93Y4jrPFYEm.cs High entropy of concatenated method names: 'cUAMLJsHCi', 'dnZCmo4jDPBAn3v1ShyL', 'IYtDfw4jLx8QlEWlJRTa', 'zsUuIg4jjRCZjYS1HWul', 'MOn7mu4jyr75kp9m3LcF', 'E94', 'P9X', 'vmethod_0', 'hgM4ksshNYl', 'mg64v8dTUbq'
Source: yQrCGtNgsf.exe, hDPAnm4hWqTQatJKM7b.cs High entropy of concatenated method names: 'P9X', 'vO64i2x7Ff', 'zNG4vX1Ii32', 'imethod_0', 'RE14f0JduN', 'hc7gvV4rBbxwjCaDbfTw', 'vyxRC34rhnoDlZ7Jd666', 'Xpi8fO4rtvt4IKYSDuIv', 'RMc8JV4r5O2AU05k5JG5', 'wwUfCA4rdcJmycs6pu1j'
Source: yQrCGtNgsf.exe, zoHUXZx6k9ZCVE4pasq.cs High entropy of concatenated method names: 'opGDgk4dp1cjHEk8gyX0', 'jGco7M4dQuo4e1led4Lk', 'mdGIvN4dwuJJO9fIXSMk', 'ebvn214daX2mbZATMPis', 'sBROS44djuwNcJpJoFvN', 'MeunDn4dycYFG5T7FFD9', 'WnnMuF4dEiV18sOeZCqm', 'ttVjGZ4dD7s0FfhrTLq6', 'RfNToM4dL7HjFCdCnHSc'
Source: yQrCGtNgsf.exe, TtADfZl4Fy4mVifoslF.cs High entropy of concatenated method names: 'rC9', 'method_0', 'hPw4vUe5Rwj', 'yO74vsUNNWc', 'pISIke47LSe5Z9EGKJUm', 'Dy9Wt147jSirjZCR5DbK', 'e6wD3E47yiTrHuugWO10', 'JGvhXN47EnLKXtCfiNJj', 'z2oThf4760du5A7a1vm4', 'Bq2tuV47wuNBWfoEWm1Q'
Source: yQrCGtNgsf.exe, T6YZ9wpLac9jGIqbLEc.cs High entropy of concatenated method names: 'ScJpypJ4K6', 'N0ppEkmDPw', 'NDvp6PbFr9', 'LK3pw3S1hQ', 'eGMpaPq7Yi', 'eddppd7ZcD', 'lTLpQYW1lU', 'ES3pxj7Zyj', 'IPqp79sE19', 'QMOpgnoBm5'
Source: yQrCGtNgsf.exe, q1WIioZoaFLGWWvfKkx.cs High entropy of concatenated method names: 'GPQZWLX6Cq', 'WSEZDKbot3', 'w7aZLnjOp2', 'AwTZjV6SUa', 'ljYZyA3Tv0', 'ojxZEYUlpL', 'FDdZ6PQSCF', 'HYmZwMuP3A', 'Y2DZatLk1w', 'wM6ZpbQYEp'
Source: yQrCGtNgsf.exe, z3SosPZQgRaHd4C7XE4.cs High entropy of concatenated method names: 'q8G4Mj0NQ3X', 'uaw4MyE3slR', 'uCs4ME8FtmE', 'UDd4M69CJEr', 'SDp4MwGRh2Y', 'BVh4Ma1lSPR', 'x6u4Mpbuj18', 'XOEImaC3AL', 'LQf4MQYLdpi', 'Wd54MxqtJ1b'
Source: yQrCGtNgsf.exe, zDHJmL8qudnHfVxrhaJ.cs High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 't5XtNf46FjcUq1FGl9tC', 'aWLeAi46OadFUWM4cWtH', 'ixWuSG46ccxoZMiWfS1X', 'v8ZwvZ46Cf3HPCW16S07'
Source: yQrCGtNgsf.exe, Dk2UtgTIcp2EubvdW5p.cs High entropy of concatenated method names: 'd2WWX59ws7', 'a2MW4MZa4j', 'gvfWKvWBHA', 'xeAWefYmqK', 'EcgWkw0D4a', 'BPRWmFEIf6', 'sKrFZj4JJGnAG4rM9pLN', 'VhSpnI4JAicjsbJTOZUU', 'KJKrew4JS29flAmSjXk0', 'qQXjft4JP5gMWy3nVhoy'
Source: yQrCGtNgsf.exe, HiEXX1NnIpB0mexsL1j.cs High entropy of concatenated method names: 'weLF4KMDRR', 'aVVdtv4RlC8lZqaWBay9', 'TRhFxM4RU9UAl4SNwsUx', 'nBve6M4RsElPRSP7hMW3', 'NHpfMf4RNjkF423FoAkZ', 'my6N1v4CZU', 'hNcN0Qd5ux', 'UGxNGohY7b', 'J6tN937As8', 'PdrNo5tTtj'
Source: yQrCGtNgsf.exe, w4dtPTsqEjqOYnEpyn8.cs High entropy of concatenated method names: 'oPDssHx3Be', 'W5T4Sh4xJABwO9sXFGv5', 'K2s8DE4xApmLKEEMpmfX', 'CSN4RG4xS31bI9xXc0XK', 'fRaMDB4xPQOyHTJwy9u4', 'mnms0WnhiP', 'FoOE7n4xpJOPWsP8fDVn', 'QAGhDp4xQsayP23eZ0I6', 'mLdgL84xxOXn6vcYJDZw', 'AjQdJl4x7dS3Bwq4pyGQ'
Source: yQrCGtNgsf.exe, GKtIxPsutcaKTShmZYJ.cs High entropy of concatenated method names: 'i844vG3adXR', 'QIJs5W2CRP', 'RrE4v9oV2Vl', 'uOCUp547oqiMmn0ioV7o', 'PO838V47GDXmdPBS1CK2', 't52oNG479jW4eJNDf2CE', 'qJlFLe47UWe5Znye567F', 'IH9RSo47sORPhEqLXPcq', 'wxQhLs47lq1cEI3YwLCU', 'GSsODO47NTS5m2U4CIjK'
Source: yQrCGtNgsf.exe, Owt4y1KL05DFLNjdcmc.cs High entropy of concatenated method names: 'CYSK7iB7Mw', 'og7KgfInyA', 'ERwUN24TERCjCR8mKLmb', 'q39du04T6F2Wh9T9UG5n', 'pI5OQD4TwZRilV5WhAeE', 'cBEKJFXjME', 'CyZRMD4TxixrZWCA5RJq', 'Nu9qq44TpmEFu30sC1Pj', 'LbbgEU4TQpp9m2D79pEO', 'kJAKyKqf1H'
Source: yQrCGtNgsf.exe, tSOZGVYnEniAdQEtVOZ.cs High entropy of concatenated method names: 'P9X', 'E284kVEIPsn', 'vmethod_0', 'imethod_0', 'j6ul324yG4RtiLqW6q31', 'YFuib64y9XUJBkrvd7ZR', 'ypfK0S4y1lNfebGgXTgJ', 'fdEkAS4y0OVQdMJPuE7p', 'EreMHl4yocJa25Lwf1hH'
Source: yQrCGtNgsf.exe, Afmt2fmRafHY49hHic4.cs High entropy of concatenated method names: 'OsJmu1k11L', 'dpn8wg4LzhAIvrxatTGH', 'rXcl2K4LZvUyPvQpFUdl', 'To5DKc4LIuA3WdxEKXMF', 'iKfNM94jXs3tcoRBnKUS', 'pN356N4j4O09wTOFOnLJ', 'U1J', 'P9X', 'pAY4k0qPi4f', 'wQA4kGHUGok'
Source: yQrCGtNgsf.exe, D567mMFHbuSdWZM3X6E.cs High entropy of concatenated method names: 'WX2FLNwqPT', 'BprF3dyTu0', 'uPkFnYKNVB', 'taKFq4Z1Uo', 'rymF1Asrr9', 'C5gF0fxl6C', 'GufFGbwCmg', 'sjwF9seSLR', 'amaFofnyTs', 'XdpFUqa3Hd'
Source: yQrCGtNgsf.exe, B4hGUV8FaTlDUySXuOs.cs High entropy of concatenated method names: 'UgvFMq4aOQl6GSAC28Vn', 'CtEGVL4acLsKowQmGEs4', 'pNmu2K4aClCA0uuNySup', 'LwEqIHYB0U', 'S3i0AK4aDSWffE2PMccG', 'qBV04n4aTabiSNgLSuvj', 't0uow04aWrc1E4y6XTfS', 'Fl0rRR4aLZjsl0ocERMp', 'TdaA6N4ajSQQUAIEK7B2', 'ph414VoyEF'
Source: yQrCGtNgsf.exe, uCy6m6ORMgvECyajo0F.cs High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'gi7OSbuP5E', 'jtUOJKqxvt', 'Dispose', 'D31', 'wNK'
Source: yQrCGtNgsf.exe, n1jjWg4I9rXwsi1ypeN.cs High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'Q634v4RlmHx', 'iA44k4PU8kY', 'g8XPNc4rZi6HEK4fTPL9', 'ubs6y84rI3gGn3hDyrZc', 'G9UhPD4rzwBwjmeoyTMg', 'WUIDuN4TXI3d7d3L5Cdx'
Source: yQrCGtNgsf.exe, cRnhvHF5rGeeCJkN3mm.cs High entropy of concatenated method names: 'yAfFhxsI6T', 'VeVFdF5fTP', 'KQBFitiWxF', 'QixFf5sUTp', 't11F2YxwAX', 'AGYWVn4RPavrg2akGCB3', 'WweqYy4RS1pcLi4WdEB6', 'ojxPbr4RJa10jhxhbF55', 'fj0GmR4RuHkI7rxIMQaa', 'rpqptI4RtkpWxmLnVDdw'
Source: yQrCGtNgsf.exe, N4OS4em8lGP5qKq375S.cs High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'IGY4vm6geP1', 'iA44k4PU8kY', 'VStFQt4L3fIQTgPXg4dF', 'yVkAb84LnkHPay2hwo62', 'mZx2pf4LqbfCjiOoWdKr', 'F8hSQ44L1nJvcT115mU9'
Source: yQrCGtNgsf.exe, BtvZ1qLvdXYhGk5yj57.cs High entropy of concatenated method names: 'leILHn0fJH', 'YUkLbg3bvk', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'obvL3aSxJ3', 'method_2', 'uc7'
Source: yQrCGtNgsf.exe, gflDllmQP962YM7q1h4.cs High entropy of concatenated method names: 'q64', 'P9X', 'APv4kqcxRc1', 'vmethod_0', 'cPw4vMdIctO', 'imethod_0', 'wwkhes4LRYU1Qhafb9FK', 'zgPkRy4LAuO3jMUNpwF1', 'RHdDL74LSJooYDqKE1Vi', 'xFvgMe4LJ6NT7qNUCyM4'
Source: yQrCGtNgsf.exe, kiStgPzypIPEDZhJly.cs High entropy of concatenated method names: 'Unn447mPCd', 'Qu14eRkkIU', 'uPe4kjxZSJ', 'R6y4mBRmjX', 'IEj4M58PuF', 'Qm14YuHDAF', 'aGB48FvyOt', 'U3EaUL4rmjQDBkCQDDRX', 'HMkXc14rM7O3RYygmZJ0', 'W9Hh0Z4rY0B5VaX6DA37'
Source: yQrCGtNgsf.exe, qlnK6kjldNEr9VbZJ8B.cs High entropy of concatenated method names: 'aTdyqGv88u', 'O2ZGy94tESg2qjSyBprX', 'O46vLI4t6kDEajPxvstf', 'kt5', 's4FjVugWl1', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: yQrCGtNgsf.exe, Gbku6wet8FFPdbS2QFq.cs High entropy of concatenated method names: 'MvqkeRK7OL', 'twqkkAhadr', 'DPIkmt429I', 'm7xkAo4D4OkPP54lgMRr', 'GDpuGp4DKpADWR9tYDp7', 'SscyeR4WzubgUwlxR71G', 'DEjZ1v4DXIXsXZMQVmb2', 't10kbjtXEG', 'uUC5Rj4DM4otdGadJwSL', 'AWPQ274DkStZPWGK9OkA'
Source: yQrCGtNgsf.exe, ocGqqPKsFPu8S9FbWau.cs High entropy of concatenated method names: 'H0HKNlRSNN', 'poTKVjyS8J', 'U6fTpO4TFDwUigAKH1eY', 'TSrqE54TNGWrp5F406Gv', 'tfcv7K4TVRM4rHv7WJkA', 'CDXuwP4TOISTHjcRZtFE', 'gs9CV64TcAWlmNYdqGNw', 'NDSq3C4TCMw6igP8R9Re', 'H5OwGx4TroXOYkjLunlJ'
Source: yQrCGtNgsf.exe, jZiYygCb3ioJ9l4smRm.cs High entropy of concatenated method names: 'h1FCnfpWeJ', 'tBaCqA6VXh', 'HqVC1iCm0Q', 'jUCC0Tkjwd', 'EdfCGXIeJK', 'lbiPCu4SvtImF3caPe9w', 'Qjjw0u4SMBphamNrRLlN', 'ombI3f4SYnPLxcCH1RPo', 'UwAm524S8pnBf5TxIrPf', 'Yd6Jyv4SH430ahE7k7b1'
Source: yQrCGtNgsf.exe, updinnfqtsdCXK42ewU.cs High entropy of concatenated method names: 'x5WKm3cweMc', 'iGVEZF42SGAf1uvtvlVC', 'zpqL2642JqB6wMEx3l5f', 'gwRypO42PIxsaXlUnLaS', 'nji7iv42uT3Q9gbuuD8H'
Source: yQrCGtNgsf.exe, vPu71Iw6Naxrgje5gog.cs High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'wnIRdv4BojMUK8cXdZBh', 'XD7eVO4BG7e1GkpoRxNd', 'HWm6h54B9yARyRppA5vQ'
Source: yQrCGtNgsf.exe, HiJZHiKtL7J32rWSkwF.cs High entropy of concatenated method names: 'nCqeYluwkF', 'wcp4S14Tf39EPX9hpon1', 'BZy2t24T2KgZ3BrUQchM', 'z49jK94TZWae6gl9bmCR', 'kRLgRu4TIFtla9XG9w7F', 'kKf9qL4TdNiMDaikCFKO', 'QCyqVk4TigS0jcNamKPp', 'wMlCfs4TzaTxCcwNDWFI', 'sWHeX6SlIx', 'jNyeKPNrX1'
Source: yQrCGtNgsf.exe, zht64Qm5oOWJci8a3OL.cs High entropy of concatenated method names: 'XvAm2cFgUA', 'L4PmZpwy89', 'JfdmIeENRn', 'CCXmzX6h2M', 'KJnMXd1RA4', 'tbCM4fIYAO', 'jeMMKpkjaN', 'BCyiwe4jbraTNgQP1gHB', 'dX75Mx4j3rKh55PhhIu8', 'UQ4mqy4j82N0oeVgE3Ti'
Source: yQrCGtNgsf.exe, hs2CShfXyyBTUemBMgJ.cs High entropy of concatenated method names: 'W6CfkwWLG3', 'SbCfmYQZSG', 'HoHkoZ42yy9AC9ZM4xao', 'L3nH7X42E0BBKV455xFf', 'cnUjPW426qD7BgnkyUWL', 'VD7eyX42w7YT7SChshfe', 'ejUfKOeKR5', 'FhPfPT42WCkhoZyNVp1V', 'FUBd8D42DRCMAvUtoq4M', 'e4kEIM42rHs8vyXdS0ZW'
Source: yQrCGtNgsf.exe, BtQ1L8Y7TrWReEFRRWY.cs High entropy of concatenated method names: 'uACYiwS5hT', 'nsPYfIOsKM', 'xYXvW54yIP0JYRcUZSMC', 'kQAIyF4yz9QSANP0n4nN', 'qujYRb6a6B', 'xOsYAEIMqc', 'LWsYSM8N1b', 'LqJYJe21Xx', 'LDTYPnLgXx', 'IGfYunrSuJ'
Source: yQrCGtNgsf.exe, CU396sinmLclZkWoVQB.cs High entropy of concatenated method names: 'zgVi0Z72XN', 'ECZiUnjM9h', 'VMAiNpX7hj', 'WW3iVp7gZb', 'VfsiFBRr1W', 'KeaiOdZ3Zy', 'Ydlic85NKO', 'LrliC2e6Uk', 'Dispose', 'H00a0W42KTeISmppVEPS'
Source: yQrCGtNgsf.exe, tJptC3M7NF85H6rjLyv.cs High entropy of concatenated method names: 'IGJMiraZrW', 'iGjMfwPaGP', 'KEhM2DHAkd', 'YXuLPt4jZM6MLMxUFaEe', 'caySGT4jI4s5H80anGkq', 'Do1q7R4jfAiEwxGBRVhE', 'x5RXou4j25nc0jsZLYvJ', 'eLxMRdra9K', 'HHNMAh63LM', 'hKCMSHO6EC'
Source: yQrCGtNgsf.exe, G5W2Bdl0OrER3fDqqAj.cs High entropy of concatenated method names: 'YMwbQB4gq7HpbbPy25vg', 'ODclni4g10jnaWGAfXrk', 'gvD17d4g37oB5PSjtTrb', 'D6AWTV4gnIyY08Ldmymg', 'method_0', 'method_1', 'kXFl992ByE', 'wIaloWrap7', 'm5flUYn9HO', 'vTIlsRZw7O'
Source: yQrCGtNgsf.exe, wGPoPgCLXoX7UoTrQoa.cs High entropy of concatenated method names: 'method_0', 'dLgCyWLkiU', 'KoICEDsUPL', 'NTxC6K9AYW', 'OehCw1RIS8', 'hNSCaxsG29', 'GwXCpCYFgc', 'Oof2Ua4SUu8gQZKULnKC', 'Yyf2624S9oRbZAZ1XajA', 'ahD2NQ4SodPgBfnGfh8p'
Source: yQrCGtNgsf.exe, NZnJ7Uch43y0LspCXXU.cs High entropy of concatenated method names: 'R5Ccix5suG', 'KJscfrdn7x', 't04c2ur8xS', 'hIKr8t4S4YMLdJoK4FAd', 'e5wvTm4AzrU3L7xcrT65', 'ynCoWY4SXYEkcf5iTPpT', 'V5R7gL4SKZWJhQ3fMn2N', 'AaM0JH4SesCKB7jenmF3', 'hbhZoR4Sk9NF1lsVxOCm'
Source: yQrCGtNgsf.exe, bT7dKtWn0qejywFIYdX.cs High entropy of concatenated method names: 'Q3kW1K7Vig', 'qnGL9N4PXIjH5cAn18cH', 'x7XRGk4JIAjfufb32Mnv', 'AUph3p4JzYW0laB5Qs6P', 'bIjTM04P4W2F9oKMOFZu', 'Um24Sh4PKBh47UpSW83L', 'qgkh7Z4PeaTpQjAQB43o'
Source: yQrCGtNgsf.exe, sbSOuV9HKnfkdu3G1U.cs High entropy of concatenated method names: 'dtqE4pCtb', 'vUZ8Or4CDNXkbgm6Fs9o', 'oHeOxf4CLmRE52Cirdof', 'WRPRXW4CTjXawGjXT3Ke', 'JCblj64CWKP4IUPpv3mB', 'SyFUuN83b', 'c0isKb4S0', 'GPGl5Zi4O', 'FdINsZVJc', 'icWVSQZJc'
Source: yQrCGtNgsf.exe, rgCow7y6bC51IKsoD5j.cs High entropy of concatenated method names: 'Close', 'qL6', 'g7vyaLqsdJ', 'QZiypEWReT', 'XC4yQHBhNR', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: yQrCGtNgsf.exe, jy3xodvNgelBAEGSTYT.cs High entropy of concatenated method names: 'vuivFOqFQs', 'aTkXtB4ETyj9ME0vDxqA', 'QHFYMU4EWhaQTIBG1kGe', 'cBOKyD4EDSykB81KPnrG', 'lebNeV4ECdwkHDQhY1HU', 'xA5IQs4ErYMwR4eHu9DG', 'obg3rT4ELhA2VTAo1pbu'
Source: yQrCGtNgsf.exe, gysy46p8c9mDrVnLuVe.cs High entropy of concatenated method names: 'AAUpOW9Jwg', 'v8y7JM4h4i2FZ5gZdKZ0', 'CtItqO4Bze0Rg4LJUhsU', 'wlsSUO4hXUMuEGXK3AYQ', 'iw6dbH4hK2b442hMYDCG', 'h21I3Q4hevWaDWhocBlD', 'IPy', 'method_0', 'method_1', 'method_2'
Source: yQrCGtNgsf.exe, zCKA0IUTlaensuHWLEY.cs High entropy of concatenated method names: 'rqyUwsRXYW', 'c5mKyi4QZTPvfEN9kwgw', 'QwlQ5a4Qf8rg26hHjuBT', 'T8VWPA4Q251KT8dX99gr', 'DiRGNc4QInBK4FGUC6PC', 'sCTUD1AACN', 'UGgULDUn17', 'TF6UjZgvUd', 'Cp4UZb4QBR5knxNAXclI', 'f6iEoU4QhQchfCblo6KL'
Source: yQrCGtNgsf.exe, jQVaybY8eQa2CC5MamI.cs High entropy of concatenated method names: 'UIZYbAdmlj', 'OCeY3wE2QN', 'lfcGI94yv89Txdl1Tb6P', 'Euo2SE4y8aj9jeMZY4hD', 'sJqCN54yH4EGcKQWdiY2', 'isRxd24ybJArMYUrWUIT', 'zxMq6E4y3cZJH7LSh8se', 'wnyG5S4ynVcE5GlfiKkT'
Source: yQrCGtNgsf.exe, ViTDYyvGvxKPP0bnQUV.cs High entropy of concatenated method names: 'JB1vsyb0IV', 'YyvoDO4EOs8jPhyqqSXU', 'nKt4GM4EVrxk3YBhAoWP', 'uqA31l4EFYE82Iabme3p', 'QJ9vo532O4', 'nbIem94EUjT8nSNEp8EJ', 'NSeD8C4EsxHJu1mmhun9', 'wEdRPM4E9IcjsB0x1OYU', 'xcKsX14Eo6UaM9Onsj1x', 'uLOwth4EldasNQCTXZGu'
Source: yQrCGtNgsf.exe, v1Xh80Qf0p1u1CORBhK.cs High entropy of concatenated method names: 'ArKQZgYykU', 'fIkQIKgZRA', 'G6ZQzAEg3R', 'jHqxXtfApZ', 'G7Ix4mfMuA', 'fLZxKlyTj0', 'rKLxee3KHN', 'pqixkCvxE2', 'VnOxmD78S7', 'gl2xM1Y7i5'
Source: yQrCGtNgsf.exe, jARLKnYU1UivcE1Hvio.cs High entropy of concatenated method names: 'F1EYT0Q267', 'IDWlGe4yEqbWZSHCYZDn', 'RxAae84y6UAhHoGko3iN', 'zWs7Sv4yjlxOLSdQqQ7x', 'LZ1fOM4yyr3mgS87lXIe', 'hofQIk4ywXwk6iNWHPC4', 'DeRpLV4yaJlMx09b2Eo7', 'KPcYlhMVDe', 'lEsYNd8bmb', 'eRxYVf5rdG'
Source: yQrCGtNgsf.exe, U4mhPWeCn6mjApvGspQ.cs High entropy of concatenated method names: 'YPnegWknpS', 'yjoeRWErdw', 'jXaeAHFGay', 'REhqPI4WpcdkBcR5Mumd', 'lSanMp4WQNVvjXRRwF4Z', 'L5Ko3x4WwMN7YPakX4hP', 'WN9OQ44WaGPPvjggY9Xn', 'h8teTlw3G6', 'TMLeWNtFoQ', 'EiSeDSpOCq'
Source: yQrCGtNgsf.exe, cLd8aP1bfHdCq9rvW5x.cs High entropy of concatenated method names: 'Dispose', 'Yv01nnQ9ua', 'MKc1qUDTGX', 'GBl11TlOsD', 'Kf29Uv4aPEAqiTy2ebRT', 'NmC8An4aufrJfshkpyVt', 'N3C8P54aty5eD46WOmtS', 'WhZlWa4a5ygBaakDX1LZ', 'ibIT7T4aBnsTCAGHatSY', 'TQjia14ahMBq4aJNt6FK'
Source: yQrCGtNgsf.exe, J6PedsDIGYDr3cPRUsX.cs High entropy of concatenated method names: 'iYsLXUGIOH', 'joGL40r3mx', 'Yd7', 'ItxLK1Bdlb', 'JekLecJMxP', 'pEOLk20p7R', 'acGLmxNb2L', 'arXBK64uQ45crjmMXtpF', 'vTCl604uxHFufGBY1a5S', 'P7bR9p4u7DdQ9PYHhbxt'
Source: yQrCGtNgsf.exe, oyFGC4r7jB8CAJ4tmsc.cs High entropy of concatenated method names: 'BnkrZA7ZQk', 'hgArzRuAHy', 'XnwrRt9Gqm', 'jxJrAvCDeT', 'IB4rSHVED5', 'IxurJBbbdp', 'YAJrP5o5AA', 'cCSrud5HYO', 'VmIrtIbF9o', 'm3cr5L6gOg'
Source: yQrCGtNgsf.exe, UTCB7OEtLAQ8TRX3RC6.cs High entropy of concatenated method names: 'OGEl7t45te2uym4J5Ql9', 'hLtmHG455wBLCowCtUlu', 'YQPEIk45BT0tgvrFPyej', 'bV2EBeM1xR', 'Mh9', 'method_0', 'HDuEhIn0EC', 'W95EdT8e1A', 'aycEiMbpGy', 'SFUEfyIxey'
Source: yQrCGtNgsf.exe, LCuFHWcF5jhsSaIkYU3.cs High entropy of concatenated method names: 'MdoccAPSYU', 'p68cCaHGE4', 'f3XcrFNC4Y', 'b1lcTGjOKl', 'eUScWDskMj', 'wRxGSK4Au9pyg26CddPP', 'fhQAMh4AJLw84XI3xe6c', 'mp5KeT4APAEnexjMrRgW', 'vKKNys4AtIeKXXv8mZcv', 'HZ5ImK4A5cLvQNyLYIuF'
Source: yQrCGtNgsf.exe, OPvCaFUh3IZvLKrSEwe.cs High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'NMV4vnL3PW6', 'Wow4kSmKIxZ', 'hSh7jE4xqFeEtJCiOSVP', 'PxGAtP4x1WmHdRVAXFdX', 'mX1tkb4x0AIXxRVGc0qi', 'qKuSLK4xGcx4Ywlco4KM', 'JaKPLb4x9YOnMHOqA1y3'
Source: yQrCGtNgsf.exe, T1krChiLy9W2KE4m3B4.cs High entropy of concatenated method names: 'Pjeiy5Pt2N', 'a9GiExTZPs', 'uxYi6UYOUh', 'CsCiwjnhvR', 'Dispose', 'FCIl2342bsNOqiG863RN', 'cE9EOY428eMptx9vxJTy', 'k8cReD42HxgMrdAyAVkp', 'BCJ8Lt423ha8tm1lpwsR', 'EadmCm42nsEvJFRujb0o'
Source: yQrCGtNgsf.exe, N96j8IQLGkiECP4I06i.cs High entropy of concatenated method names: 'RQnQy6nK6l', 'RJ5QE0quoe', 'xn8Q66dJnE', 'eXCQwPwC73', 'TRNQaX4kCq', 'Ds5QpvOwet', 'vkKQQekp1N', 'j6TQxQFOO6', 'AN0Q73eX25', 'krXQg989nW'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs High entropy of concatenated method names: 'cG6vjM42dsQLrT63LpVZ', 'r2d5VC42iQg6reP9Uo3o', 'R3P2hOXTT3', 'eXh2Xo42IXB0iFyoXdAj', 'BSyLlq42zWdaE4nodJ2E', 'h65eTK4ZXJH3q3nMwxmU', 'SBp8j64Z4FOl5nrF5vkb', 'H0EkkY4ZKIdlPxMTnK2b', 'vmeE2T4ZenXf9AD9DGmo', 'DkvQwc4ZkVVCp5llUFes'
Source: yQrCGtNgsf.exe, kyZiO71VWBjLmoCWjKv.cs High entropy of concatenated method names: 'EVXUnuKmhU', 'J9XUqX22tM', 'qJqmiH4Q67ttvuGgGrgd', 'oEFoci4Qy2WilrG2NpOu', 'GaV9mr4QEmx4si1NVd0g', 'E4xYVA4QwWiQ1wULttjk', 'em5jE54QanQ9Lg2sFufA', 'YasUUErIbn', 'AA55kY4Q7EgK3qqsfijG', 'FXomjv4QQcFNLa9qsfQx'
Source: yQrCGtNgsf.exe, Ufys8FUpnNgh1KIOvw6.cs High entropy of concatenated method names: 'pCyUSn9KIt', 't6JUJPb7Bx', 'dCEUP4crEO', 'ryBnbC4xmVpj181lCoPf', 'Eeh0hI4xMJWHpDVRjRpM', 'i5Dkhu4xeIS5dru3VVoI', 'Ne9QeE4xkEYcvjIn07M3', 'JreUxvIiJ5', 'XrMU7DXiHc', 'vCEUg6pLVZ'
Source: yQrCGtNgsf.exe, FQ2eTyWLWOmdIgWVmC3.cs High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: yQrCGtNgsf.exe, B0FWVsDAD0QxqILTyH0.cs High entropy of concatenated method names: 'eTTDJGcvUA', 'DmgDPjR5Vw', 'KoaDuC5tbb', 'fgHDtL18u5', 'hmxD5SYSm1', 'gFntj04uTfvyb7BO9pxj', 'EK6d054uWVVoPFhgFggE', 'Xnm49p4uCdYK8bdACJhk', 'KYEsfT4urKc6jV1qx3Wu', 'XmUnqU4uD2D8ScqPIkx3'
Source: yQrCGtNgsf.exe, Ces4gbytSgEFnQyWEBM.cs High entropy of concatenated method names: 'quJyBpYrZ9', 'k6r', 'ueK', 'QH3', 'nrsyhjE4cK', 'Flush', 'ABJydKUr4J', 'decyisCaG6', 'Write', 'ujQyfpNi3s'
Source: yQrCGtNgsf.exe, wIsYM7Km5NXn0TDhZlS.cs High entropy of concatenated method names: 'rT8KYEcChp', 'rPYKvoRFYY', 'iLMK8EBOWt', 'fvUKHfJ6Va', 'QRIl5U4TnI8btD9xgKyc', 'kRks6R4TbnYlkAj8mPfa', 'dNbhdI4T3kWOlbHtPCBe', 'DlSA7K4Tquex2kIhmlwL', 'F61Sm34T1xPsDlptPsih', 'PGV9GQ4T0PhEa0stTeey'
Source: yQrCGtNgsf.exe, YDG8IOhLo1WqtkweBn1.cs High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'Qp7hyb3PI9', 'QGFsrY4icAKg0bI6e445', 'kGaqN34iC1FbMDGRWSKY', 'T6bWtM4irB5riJbOl2UW', 'R5hiRb4iTUIM7YUC06Vw', 'oWHwQB4iW2jaaQRxoJ73', 'L1xACH4iDIdWRwni8kdU'
Source: yQrCGtNgsf.exe, VA678lvrnnvSlUK7FZ6.cs High entropy of concatenated method names: 'elUvWKHqyM', 'w1AvDuNNbL', 'VFcvLis4CE', 'py3vjivxuO', 'SVHvyABprK', 'dPIvECBrmC', 'U98bNb4Epd99xZl9T5V7', 'W1d9na4EQaX8APDQvRgw', 'GpsXZX4ExVSSD2t17vDU', 'rhuA2S4E7Aq2KwrrClGi'
Source: yQrCGtNgsf.exe, spDAHXkQOrYnihspdJg.cs High entropy of concatenated method names: 'hBpkZriy8i', 'C8dCfk4DzqShhwb4E85o', 'Pqtghk4DZoMwBFg5vNHp', 'fg1xVq4DI6Xl47dYXRnq', 'sAaiSr4LXKxB3sM6R5kT', 'WdORDX4LkQEHf1FZJIY3', 'dbJH3V4LKjOoHv6ulaqf', 'DbrvIL4LetukskVmPvdu', 'nDOKNh4LmNE0nvLMUpi7', 'JZ4mMmbGb4'
Source: yQrCGtNgsf.exe, P90gNMkjDSGOHUusEBe.cs High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'FBx4vkWooTx', 'iA44k4PU8kY', 'AS91ao4DW8eLORXrf2jr', 'yW1DpI4DDMZYDWMF1d6i', 'blihRc4DLGJW6dlMuebQ', 'Bk8fOd4DjslXFeMsyRCb', 'pfrQn14DyACwLjCEQ0vW'
Source: yQrCGtNgsf.exe, esmLp7wfbx0ZaFp6lpy.cs High entropy of concatenated method names: 'b76', 'method_0', 'q7Q', 'K41', 'vEh', 'pu6', 'Xk4', 'K81', 'YV4', 'method_1'
Source: yQrCGtNgsf.exe, mVb93mreQt359Nmt1U5.cs High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'YCHrm1KYJM', 'Write', 'Vr8rM4vgZk', 'BLirYYfMwg', 'Flush', 'vl7'
Source: yQrCGtNgsf.exe, TW5v7oTBAAHdPUVsKnl.cs High entropy of concatenated method names: 'DuYTdKmxMG', 'vOVTir34gs', 'trbTfrCvWf', 'Q4MT26YB5N', 'iwqTZcuLAR', 'vM9Ebp4JpYBQyvcMSYYP', 'iTVjAY4JwaBn9po5yuGN', 'mLfeJq4JaJMGNuNvZMko', 'a8m8OO4JQJmk9LO4gd6X', 'TC4rkN4JxRWs1bU5mi7F'
Source: yQrCGtNgsf.exe, D01LQ8pAcivABjr9hY8.cs High entropy of concatenated method names: 'zia4vOJTAob', 'AYbpJRIpCt', 'iVRpPLax75', 'gA7puFgc8g', 'mmtAds4hq3sgNNpvY5U3', 'nX6AET4h1TXr2tikwrRK', 'L9acUu4h0WbRh21DiuKJ', 'h2j6584hGS958CumSFnN', 'BPphPj4h9op4fwAodYCC', 'A9r3nE4hogwcSl6oceH2'

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File written: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\pLpTuJYH.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\apDEhkEl.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\yuIieleo.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\zuWaRqDn.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\VnZQnlzb.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\LCrhcYww.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\BDesMBdT.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\KRjbfmWU.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\fXYUxCDX.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\OzAXPueG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\RfcHRSFf.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\pGrkhfIF.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\HPxsKDSZ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\oxAuScwr.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\FTTrxXjd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\cyaNQADQ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\mvOMxtrw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\NkPigQpK.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\VjLFuzVH.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\RdNoqiHi.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\waJkCVMY.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\nzBVHGUq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\vlAbNuev.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Recovery\JPOyDhPFIytu.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\WTjyQsvs.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\SKvXgoIi.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\eReVdbbp.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\IjLZavdG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\MAAYLQkP.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\UkLxLBCd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\dUDNIbMu.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\TLlpvaAw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\eWtfXNEJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\lmQBfErr.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\TzzXjEkC.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\KZthgyKJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\TADrPPcC.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\GJcAmyRG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\zdFkvbcm.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\gcAWdtGq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\edjwtIzh.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\TzzXjEkC.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\apDEhkEl.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\yuIieleo.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File created: C:\Users\user\Desktop\pLpTuJYH.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\RdNoqiHi.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\lmQBfErr.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\UkLxLBCd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\LCrhcYww.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\OzAXPueG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\zuWaRqDn.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\pGrkhfIF.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\fXYUxCDX.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\mvOMxtrw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\GJcAmyRG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\waJkCVMY.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\oxAuScwr.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\MAAYLQkP.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\FTTrxXjd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\vlAbNuev.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\edjwtIzh.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\IjLZavdG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\cyaNQADQ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\SKvXgoIi.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\BDesMBdT.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\dUDNIbMu.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\gcAWdtGq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\eReVdbbp.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\VjLFuzVH.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\TLlpvaAw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\WTjyQsvs.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\NkPigQpK.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\KZthgyKJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\RfcHRSFf.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\nzBVHGUq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\eWtfXNEJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\VnZQnlzb.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\HPxsKDSZ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\TADrPPcC.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\KRjbfmWU.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File created: C:\Users\user\Desktop\zdFkvbcm.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Memory allocated: D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Memory allocated: 1A6F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 750000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1A560000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 10A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1AA50000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1200000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1AC80000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1160000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1AC00000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 14A0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1B1B0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 860000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1A530000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: F70000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1AE10000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 11A0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1AF20000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 11F0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Memory allocated: 1ABB0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Dropped PE file which has not been started: C:\Users\user\Desktop\pLpTuJYH.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Dropped PE file which has not been started: C:\Users\user\Desktop\apDEhkEl.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Dropped PE file which has not been started: C:\Users\user\Desktop\yuIieleo.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\zuWaRqDn.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VnZQnlzb.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\LCrhcYww.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\KRjbfmWU.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\BDesMBdT.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fXYUxCDX.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\OzAXPueG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RfcHRSFf.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\pGrkhfIF.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\HPxsKDSZ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\oxAuScwr.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\FTTrxXjd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\cyaNQADQ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\mvOMxtrw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\NkPigQpK.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VjLFuzVH.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\waJkCVMY.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RdNoqiHi.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nzBVHGUq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\vlAbNuev.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WTjyQsvs.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\SKvXgoIi.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\eReVdbbp.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\IjLZavdG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\MAAYLQkP.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\dUDNIbMu.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\eWtfXNEJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TLlpvaAw.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\UkLxLBCd.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\lmQBfErr.log Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TzzXjEkC.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\KZthgyKJ.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TADrPPcC.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\GJcAmyRG.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\zdFkvbcm.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\gcAWdtGq.log Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Dropped PE file which has not been started: C:\Users\user\Desktop\edjwtIzh.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe TID: 7652 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 8024 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7936 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7260 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7208 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 2740 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5684 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5264 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7340 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7628 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7632 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7736 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 3396 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7012 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 1532 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 6048 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 3832 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5312 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\w32tm.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Code function: 13_2_00007FFB4B4273B3 GetSystemInfo, 13_2_00007FFB4B4273B3
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012C03000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B50B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: JPOyDhPFIytu.exe, 00000028.00000002.2220166346.000000001B698000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: JPOyDhPFIytu.exe, 00000033.00000002.2735341246.000000001B584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: w32tm.exe, 00000011.00000002.1801177190.0000020F2B458000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BA80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012E68000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000027.00000002.2165747598.00000295E6127000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: JPOyDhPFIytu.exe, 00000023.00000002.2145156994.000000001AE20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: JPOyDhPFIytu.exe, 00000033.00000002.2735341246.000000001B4E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: JPOyDhPFIytu.exe, 0000002D.00000002.2517847675.000000001B7F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: w32tm.exe, 00000022.00000002.2088366144.000002511724A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EbE+OsUE7mh/ISTTWAwP1HBJirZqng0vbXHrz8DrL1tcGQgkY729ie2BNiqZGYYHl2p9sHhhqAuFGTLk7HhZGowmh7dEmQDfrhCDXoiPmM97SEGOQJNLN7gb+7zhzR/QyzQEA0FooFotKG5Lx4PBUIxDaA/HojHGhpCfYFgOKw1BYOhsD/R2BDQ+gKxYFzzBwLR5ngimugNhkOJsMa2JoZ7Nnat0Nii1an4SH/iHDY8OpRoX846RzPDiYH69rV6RTrZjmj/SKKnh/X6mwP+Zj+UFPM3BOJxQKOB5gZ/X7Q5EAj19YW05uZoOBTXGmKNgUQ43BT1J/xayB9uDgYSsWCsrymUwNpqQa25lw1kYql0f7KXZaAm5yXSvaxzpJdFIUOgoa85qsUCgb5A1B9t8Pv7oKDmQIMW1wLYDVooFo81h6LQIf5AvDfUFwo2B5tjjaE+LaCF4ol4oAmZfeGwv7EvFOrtDffFjGYtS/X3J6jTM/XnJgYT6WSMuqI90zkcHQait6+5IRBriPUFoO/8WszfDDXQQiF/LAat9MdjcWhxKAb1SCS0xng8FmrUEoHmpmAMOl1rDPYFGxJ9zVpvc7whHGuCLomzDYlonLXGAUluH4xHE/2ro4PRrYk4G0nG2fLRwehAMrY6MbwtFWcD/LEhMdQfjSXY2qFlqXgC826IDm5NsLbBePvgjtTFCbY0sTU5qOPty5OZoVQGTY1tGBkcTg4kViQT/fGV0cH4FIuXYPASmVT/juk87AZuC9MzdoFdTM+Wwzk3McyVrEinBqZ4KJHDac+0D25IAXJ+cjCeujSzdCTZP6yzpoolS+ASncOjQK9Lp2KJTCaXhdJrogMcoVZiUew8NFHCkL8hMTySHiQydSmMcTZhXTQNeYd1Dq/40mgmwZb1pwDyfgQqnYgOJ5Yn+hNb4amT0Cp+9p7lrx7pB4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3o
Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000006.00000002.1585148020.00000203A9A07000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AF30000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B440000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1841756933.000000001B550000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1973360041.000000001B5F0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001D.00000002.2002562625.0000018DE7959000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2220166346.000000001B5D0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002C.00000002.2243437280.0000022664368000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Queries volume information: C:\Users\user\Desktop\yQrCGtNgsf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yQrCGtNgsf.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JPOyDhPFIytu.exe PID: 7920, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yQrCGtNgsf.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JPOyDhPFIytu.exe PID: 7920, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521033 Sample: yQrCGtNgsf.exe Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 109 115583cm.n9shteam2.top 2->109 117 Multi AV Scanner detection for domain / URL 2->117 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 11 other signatures 2->123 15 yQrCGtNgsf.exe 4 26 2->15         started        signatures3 process4 file5 101 C:\Windows\...\JPOyDhPFIytu.exe, PE32 15->101 dropped 103 C:\Users\user\Desktop\yuIieleo.log, PE32 15->103 dropped 105 C:\Users\user\Desktop\pLpTuJYH.log, PE32 15->105 dropped 107 9 other malicious files 15->107 dropped 113 Drops executable to a common third party application directory 15->113 19 cmd.exe 1 15->19         started        signatures6 process7 signatures8 125 Uses ping.exe to sleep 19->125 127 Uses ping.exe to check the status of other devices and networks 19->127 22 JPOyDhPFIytu.exe 14 10 19->22         started        26 w32tm.exe 1 19->26         started        28 conhost.exe 19->28         started        30 chcp.com 1 19->30         started        process9 dnsIp10 111 115583cm.n9shteam2.top 37.44.238.250, 49710, 49713, 49714 HARMONYHOSTING-ASFR France 22->111 77 C:\Users\user\Desktop\lmQBfErr.log, PE32 22->77 dropped 79 C:\Users\user\Desktop\UkLxLBCd.log, PE32 22->79 dropped 81 C:\Users\user\Desktop\RdNoqiHi.log, PE32 22->81 dropped 83 2 other malicious files 22->83 dropped 32 cmd.exe 1 22->32         started        file11 process12 signatures13 115 Uses ping.exe to sleep 32->115 35 JPOyDhPFIytu.exe 9 32->35         started        38 conhost.exe 32->38         started        40 PING.EXE 1 32->40         started        42 chcp.com 1 32->42         started        process14 file15 69 C:\Users\user\Desktop\zuWaRqDn.log, PE32 35->69 dropped 71 C:\Users\user\Desktop\pGrkhfIF.log, PE32 35->71 dropped 73 C:\Users\user\Desktop\fXYUxCDX.log, PE32 35->73 dropped 75 2 other malicious files 35->75 dropped 44 cmd.exe 1 35->44         started        process16 process17 46 JPOyDhPFIytu.exe 44->46         started        49 conhost.exe 44->49         started        51 chcp.com 44->51         started        53 w32tm.exe 44->53         started        file18 93 C:\Users\user\Desktop\waJkCVMY.log, PE32 46->93 dropped 95 C:\Users\user\Desktop\oxAuScwr.log, PE32 46->95 dropped 97 C:\Users\user\Desktop\mvOMxtrw.log, PE32 46->97 dropped 99 2 other malicious files 46->99 dropped 55 cmd.exe 46->55         started        process19 signatures20 129 Uses ping.exe to sleep 55->129 58 JPOyDhPFIytu.exe 55->58         started        61 conhost.exe 55->61         started        63 chcp.com 55->63         started        65 PING.EXE 55->65         started        process21 file22 85 C:\Users\user\Desktop\vlAbNuev.log, PE32 58->85 dropped 87 C:\Users\user\Desktop\edjwtIzh.log, PE32 58->87 dropped 89 C:\Users\user\Desktop\MAAYLQkP.log, PE32 58->89 dropped 91 2 other malicious files 58->91 dropped 67 cmd.exe 58->67         started        process23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.44.238.250
 115583cm.n9shteam2.top France
49434 HARMONYHOSTING-ASFR true

Contacted Domains

Name IP Active
115583cm.n9shteam2.top 37.44.238.250 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php true unknown