Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522724
MD5:	5027e6b49ab2616a8f08f4c868b90dba
SHA1:	f7bbc4c784fb2a30d8a018b65f2632507335590d
SHA256:	509c5bf724b0d3bc60cdc93c1b0f1e6710cf23edb2293d670cb8bdeaa5ac7e6f
Tags:	exeGandCrabuser-jstrosch
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gandcrab

Yara detected ReflectiveLoader

AI detected suspicious sample

Contains functionality to determine the online IP of the system

Found Tor onion address

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses nslookup.exe to query domains

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gandcrab	GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.In a surprising announcement on May 31, 2019, the GandCrabs operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If theres one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.	Pinchy Spider	http://asec.ahnlab.com/1145 http://www.secureworks.com/research/threat-profiles/gold-garden http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/ https://asec.ahnlab.com/en/41450/ https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB58D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB58D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_00BB4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB56A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB56A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_00BB34F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB5400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_00BB5400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F94B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	15_2_00F94B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F964F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	15_2_00F964F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	15_2_00F934F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F958D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F958D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F956A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F956A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F95400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	15_2_00F95400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00434B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	29_2_00434B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00435400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	29_2_00435400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004358D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004358D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004364F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	29_2_004364F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004334F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	29_2_004334F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004356A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004356A0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\file.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025452 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) : 192.168.2.11:50821 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2025453 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup) : 192.168.2.11:50826 -> 1.1.1.1:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160

Found Tor onion address

Source: file.exe	String found in binary or memory: rab2pie73et.onion.guide/da3fe3083522c987 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987 3. https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.11:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49715 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49722 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49721 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49720 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49719 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49718 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49717 -> 1.1.1.1:53

May check the online IP address of the machine

Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB84D0 lstrcatW,InternetCloseHandle,InternetConnectW,VirtualAlloc,wsprintfW,HttpOpenRequestW,HttpAddRequestHeadersW,HttpSendRequestW,InternetReadFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,VirtualFree,

0_2_00BB84D0

Source: global traffic	DNS traffic detected: DNS query: ipv4bot.whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: ns1.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: zonealarm.bit
Source: global traffic	DNS traffic detected: DNS query: ns2.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: ransomware.bit

Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/(
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/;
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sj.ms/register.php
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: file.exe	String found in binary or memory: https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://psi-im.org/download/
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770

Too many similar processes found

Source: conhost.exe	Process created: 48
Source: nslookup.exe	Process created: 60

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB89A0	0_2_00BB89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1C20	0_2_00BB1C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1020	0_2_00BB1020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E124E0	0_2_00E124E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E130E0	0_2_00E130E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E08424	0_2_00E08424
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0A5FD	0_2_00E0A5FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07940	0_2_00E07940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07EB2	0_2_00E07EB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E09691	0_2_00E09691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E19E60	0_2_00E19E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E01BFB	0_2_00E01BFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0679C	0_2_00E0679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F989A0	15_2_00F989A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91C20	15_2_00F91C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91020	15_2_00F91020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE24E0	15_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE30E0	15_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD8424	15_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FDA5FD	15_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7940	15_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7EB2	15_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD9691	15_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE9E60	15_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD1BFB	15_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD679C	15_2_00FD679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431C20	29_2_00431C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431020	29_2_00431020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004389A0	29_2_004389A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE24E0	29_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE30E0	29_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD8424	29_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FDA5FD	29_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7940	29_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7EB2	29_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD9691	29_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE9E60	29_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD1BFB	29_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD679C	29_2_00FD679C

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD2790 appears 42 times
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD32DA appears 32 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@398/2@1702/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB7600 VirtualAlloc,VirtualAlloc,GetUserNameW,VirtualAlloc,GetComputerNameW,wsprintfW,VirtualAlloc,wsprintfW,VirtualAlloc,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,RegOpenKeyExW,RegQueryValueExW,GetLastError,RegCloseKey,lstrcmpiW,wsprintfW,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,ExitProcess,wsprintfW,VirtualAlloc,VirtualAlloc,GetWindowsDirectoryW,GetVolumeInformationW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,GetModuleHandleW,GetProcAddress,lstrlenW,VirtualFree,lstrcatW,VirtualAlloc,GetDriveTypeW,lstrcatW,lstrcatW,lstrcatW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,VirtualAlloc,VirtualFree,

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB7CE0 wsprintfW,VirtualAlloc,VirtualAlloc,VirtualAlloc,VirtualAlloc,CreateToolhelp32Snapshot,VirtualFree,Process32FirstW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,Process32NextW,GetLastError,lstrlenW,VirtualFree,VirtualFree,CloseHandle,VirtualFree,

0_2_00BB7CE0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=da3fe3083522c987
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Yara detected ReflectiveLoader

Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583581493.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E11069 push esp; iretd	0_2_00E11191
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E111A4 push 6C00E0CFh; iretd	0_2_00E111A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1119C pushad ; iretd	0_2_00E1119D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E027D5 push ecx; ret	0_2_00E027E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE1069 push esp; iretd	15_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD27D5 push ecx; ret	15_2_00FD27E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE1069 push esp; iretd	29_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD27D5 push ecx; ret	29_2_00FD27E8

Drops PE files

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E01BFB EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E01BFB

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\file.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_00BB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	15_2_00F92F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	29_2_00432F50

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep count: 329 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep time: -329000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Source: nslookup.exe, 00000043.00000002.1995462764.0000000002968000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: nslookup.exe, 00000009.00000002.1628596929.0000000002B19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000D.00000002.1657036223.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: nslookup.exe, 0000002C.00000002.1860308992.0000000002677000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: nslookup.exe, 00000007.00000002.1616929297.0000000002B79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: nslookup.exe, 0000003C.00000002.1957470394.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\p
Source: nslookup.exe, 0000003E.00000002.1970270373.00000000032F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^4I
Source: file.exe, 00000000.00000002.2791556153.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: nslookup.exe, 00000003.00000002.1589200684.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000005.00000002.1601748756.00000000035A9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000B.00000002.1644784030.0000000002C89000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000010.00000002.1678588129.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001B.00000002.1742251945.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000020.00000002.1780589150.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000022.00000002.1793471404.0000000003348000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000024.00000002.1807509867.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000026.00000002.1820162340.0000000002A79000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000028.00000002.1833392605.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000002A.00000002.1845682656.0000000002F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nslookup.exe, 00000012.00000002.1690269558.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000017.00000002.1716417022.0000000003319000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001E.00000002.1764334421.0000000002AE9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000034.00000002.1913990128.0000000002D89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ
Source: nslookup.exe, 00000015.00000002.1703679027.0000000002918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
Source: nslookup.exe, 00000019.00000002.1728893613.0000000003409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: nslookup.exe, 00000032.00000002.1900139978.0000000000469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02984 IsDebuggerPresent,

0_2_00E02984

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E04BCA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E04BCA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6100 mov eax, dword ptr fs:[00000030h]	0_2_00BB6100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E175C0 mov eax, dword ptr fs:[00000030h]	0_2_00E175C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96100 mov eax, dword ptr fs:[00000030h]	15_2_00F96100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	15_2_00FE75C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436100 mov eax, dword ptr fs:[00000030h]	29_2_00436100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	29_2_00FE75C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB33E0 lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess,

0_2_00BB33E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E0315A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E03129 SetUnhandledExceptionFilter,	0_2_00E03129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD3129 SetUnhandledExceptionFilter,	15_2_00FD3129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD3129 SetUnhandledExceptionFilter,	29_2_00FD3129

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB3C80 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_00BB3C80

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB9680 cpuid

0_2_00BB9680

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02620 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E02620

Source: C:\Users\user\Desktop\file.exe

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: dwqocx.exe	Binary or memory string: cmdagent.exe
Source: dwqocx.exe	Binary or memory string: cfp.exe
Source: dwqocx.exe	Binary or memory string: avengine.exe
Source: dwqocx.exe	Binary or memory string: msmpeng.exe
Source: dwqocx.exe	Binary or memory string: AVP.EXE
Source: dwqocx.exe	Binary or memory string: ashDisp.exe
Source: dwqocx.exe	Binary or memory string: avgnt.exe
Source: dwqocx.exe	Binary or memory string: Mcshield.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
ipv4bot.whatismyipaddress.com	unknown	unknown
ransomware.bit	unknown	unknown
1.1.1.1.in-addr.arpa	unknown	unknown
zonealarm.bit	unknown	unknown
ns1.cloud-name.ru	unknown	unknown
ns2.cloud-name.ru	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB58D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB58D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	0_2_00BB4B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB8730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	0_2_00BB8730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB56A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	0_2_00BB56A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB34F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	0_2_00BB34F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB5400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	0_2_00BB5400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F94B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	15_2_00F94B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F964F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	15_2_00F964F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F934F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	15_2_00F934F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F958D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F958D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F956A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	15_2_00F956A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F98730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	15_2_00F98730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F95400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	15_2_00F95400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00434B30 Sleep,ExitProcess,CreateThread,WaitForSingleObject,TerminateThread,CloseHandle,VirtualAlloc,GetModuleFileNameW,VirtualFree,ExitProcess,Sleep,lstrlenA,VirtualAlloc,CryptStringToBinaryA,ExitProcess,InitializeCriticalSection,DeleteCriticalSection,VirtualAlloc,GetModuleFileNameW,VirtualFree,ShellExecuteW,ExitThread,	29_2_00434B30
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00435400 lstrlenA,VirtualAlloc,CryptStringToBinaryA,lstrlenA,VirtualAlloc,lstrcpyA,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,VirtualFree,GetLastError,lstrlenA,VirtualAlloc,VirtualAlloc,VirtualAlloc,lstrcatA,lstrlenA,lstrlenW,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,InternetCloseHandle,	29_2_00435400
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438730 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438730
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004358D0 VirtualAlloc,VirtualFree,CryptBinaryToStringA,CryptBinaryToStringA,CryptBinaryToStringA,lstrlenA,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,lstrlenW,lstrcatW,VirtualFree,VirtualFree,VirtualFree,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrlenW,MultiByteToWideChar,lstrcatW,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcatW,lstrlenW,VirtualAlloc,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,lstrlenA,MultiByteToWideChar,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004358D0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004364F0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,	29_2_004364F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004334F0 lstrlenA,VirtualAlloc,VirtualAlloc,CryptStringToBinaryA,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,	29_2_004334F0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00438880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,	29_2_00438880
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004356A0 VirtualAlloc,wsprintfW,lstrlenW,lstrlenW,lstrlenW,VirtualFree,lstrlenW,VirtualAlloc,wsprintfA,lstrlenW,CryptBinaryToStringA,GetLastError,lstrlenA,lstrlenA,VirtualAlloc,lstrlenA,lstrlenA,lstrlenA,VirtualFree,VirtualFree,VirtualFree,VirtualFree,	29_2_004356A0

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\file.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2025452 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup) : 192.168.2.11:50821 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2025453 - Severity 1 - ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup) : 192.168.2.11:50826 -> 1.1.1.1:53

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB7160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	0_2_00BB7160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F97160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	15_2_00F97160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00437160 VirtualAlloc,VirtualAlloc,lstrlenW,lstrlenA,wsprintfW,VirtualFree,InternetCloseHandle, ipv4bot.whatismyipaddress.com	29_2_00437160

Found Tor onion address

Source: file.exe	String found in binary or memory: rab2pie73et.onion.guide/da3fe3083522c987 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987 3. https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 0. https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 1. https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 2. https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: 3. https://gandcrab2pie73et.onion.to/da3fe3083522c987

Uses nslookup.exe to query domains

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior

Detected non-DNS traffic on DNS port

Source: global traffic	TCP traffic: 192.168.2.11:49716 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49715 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49722 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49721 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49720 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49719 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49718 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.11:49717 -> 1.1.1.1:53

May check the online IP address of the machine

Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com
Source: unknown	DNS query: name: ipv4bot.whatismyipaddress.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

0_2_00BB84D0

Source: global traffic	DNS traffic detected: DNS query: ipv4bot.whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: ns1.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: 1.1.1.1.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: zonealarm.bit
Source: global traffic	DNS traffic detected: DNS query: ns2.cloud-name.ru
Source: global traffic	DNS traffic detected: DNS query: ransomware.bit

Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://gandcrab2pie73et.onion/da3fe3083522c987
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/
Source: file.exe, 00000000.00000002.2791556153.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/(
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/;
Source: file.exe, 00000000.00000002.2791556153.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ipv4bot.whatismyipaddress.com/G
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://sj.ms/register.php
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: file.exe	String found in binary or memory: https://gandcrab2pie73et.onion.
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.guide/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.plus/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.rip/da3fe3083522c987
Source: file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gandcrab2pie73et.onion.to/da3fe3083522c987
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://psi-im.org/download/
Source: file.exe, file.exe, 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	0_2_00BB6770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	15_2_00F96770
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436770 EnterCriticalSection,CryptAcquireContextW,GetLastError,CryptAcquireContextW,LeaveCriticalSection,LeaveCriticalSection,CryptImportKey,CryptGetKeyParam,CryptEncrypt,GetLastError,CryptReleaseContext,LeaveCriticalSection,	29_2_00436770

Too many similar processes found

Source: conhost.exe	Process created: 48
Source: nslookup.exe	Process created: 60

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB89A0	0_2_00BB89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1C20	0_2_00BB1C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1020	0_2_00BB1020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E124E0	0_2_00E124E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E130E0	0_2_00E130E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E08424	0_2_00E08424
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0A5FD	0_2_00E0A5FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07940	0_2_00E07940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E07EB2	0_2_00E07EB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E09691	0_2_00E09691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E19E60	0_2_00E19E60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E01BFB	0_2_00E01BFB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0679C	0_2_00E0679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F989A0	15_2_00F989A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91C20	15_2_00F91C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F91020	15_2_00F91020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE24E0	15_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE30E0	15_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD8424	15_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FDA5FD	15_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7940	15_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD7EB2	15_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD9691	15_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE9E60	15_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD1BFB	15_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD679C	15_2_00FD679C
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431C20	29_2_00431C20
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00431020	29_2_00431020
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_004389A0	29_2_004389A0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE24E0	29_2_00FE24E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE30E0	29_2_00FE30E0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD8424	29_2_00FD8424
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FDA5FD	29_2_00FDA5FD
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7940	29_2_00FD7940
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD7EB2	29_2_00FD7EB2
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD9691	29_2_00FD9691
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE9E60	29_2_00FE9E60
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD1BFB	29_2_00FD1BFB
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD679C	29_2_00FD679C

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD2790 appears 42 times
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: String function: 00FD32DA appears 32 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@398/2@1702/0

Source: C:\Users\user\Desktop\file.exe

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

0_2_00BB7CE0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=da3fe3083522c987
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\nslookup.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Unpacked PE file: 29.2.dwqocx.exe.430000.0.unpack

Yara detected ReflectiveLoader

Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.f90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fe20c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e120c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dwqocx.exe.fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.1752023672.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583615305.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791139432.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1671067110.0000000000FE1000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1670976983.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1751727913.0000000000430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2791359211.0000000000E11000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583581493.0000000000BBF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 2524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwqocx.exe PID: 3536, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E11069 push esp; iretd	0_2_00E11191
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E111A4 push 6C00E0CFh; iretd	0_2_00E111A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1119C pushad ; iretd	0_2_00E1119D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E027D5 push ecx; ret	0_2_00E027E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE1069 push esp; iretd	15_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD27D5 push ecx; ret	15_2_00FD27E8
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE1069 push esp; iretd	29_2_00FE1191
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD27D5 push ecx; ret	29_2_00FD27E8

Drops PE files

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce bgummckzlfn	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00E01BFB

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains functionality to enumerate device drivers

Source: C:\Users\user\Desktop\file.exe	Code function: EnumDeviceDrivers,K32EnumDeviceDrivers,VirtualAlloc,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	0_2_00BB2F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	15_2_00F92F50
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: EnumDeviceDrivers,EnumDeviceDrivers,VirtualAlloc,EnumDeviceDrivers,GetDeviceDriverBaseNameW,lstrcmpiW,VirtualFree,VirtualFree,	29_2_00432F50

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Evaded block: after key decision

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep count: 329 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4616	Thread sleep time: -329000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	0_2_00BB6CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	0_2_00BB6F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	15_2_00F96CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	15_2_00F96F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436F00 lstrlenW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,	29_2_00436F00
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436CB0 lstrlenW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcatW,lstrlenW,lstrcmpW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,lstrlenA,VirtualFree,CloseHandle,lstrcmpW,FindNextFileW,FindClose,	29_2_00436CB0

Source: nslookup.exe, 00000043.00000002.1995462764.0000000002968000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: nslookup.exe, 00000009.00000002.1628596929.0000000002B19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000D.00000002.1657036223.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: nslookup.exe, 0000002C.00000002.1860308992.0000000002677000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: nslookup.exe, 00000007.00000002.1616929297.0000000002B79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: nslookup.exe, 0000003C.00000002.1957470394.0000000002EE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\p
Source: nslookup.exe, 0000003E.00000002.1970270373.00000000032F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^4I
Source: file.exe, 00000000.00000002.2791556153.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: nslookup.exe, 00000003.00000002.1589200684.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000005.00000002.1601748756.00000000035A9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000000B.00000002.1644784030.0000000002C89000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000010.00000002.1678588129.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001B.00000002.1742251945.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000020.00000002.1780589150.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000022.00000002.1793471404.0000000003348000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000024.00000002.1807509867.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000026.00000002.1820162340.0000000002A79000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000028.00000002.1833392605.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000002A.00000002.1845682656.0000000002F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: nslookup.exe, 00000012.00000002.1690269558.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000017.00000002.1716417022.0000000003319000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 0000001E.00000002.1764334421.0000000002AE9000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, 00000034.00000002.1913990128.0000000002D89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZZ
Source: nslookup.exe, 00000015.00000002.1703679027.0000000002918000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
Source: nslookup.exe, 00000019.00000002.1728893613.0000000003409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]
Source: nslookup.exe, 00000032.00000002.1900139978.0000000000469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02984 IsDebuggerPresent,

0_2_00E02984

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\file.exe

0_2_00E04BCA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8880 CryptAcquireContextW,VirtualAlloc,GetModuleHandleA,LoadLibraryA,GetProcAddress,CryptReleaseContext,VirtualFree,CryptReleaseContext,VirtualFree,

0_2_00BB8880

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB6100 mov eax, dword ptr fs:[00000030h]	0_2_00BB6100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E175C0 mov eax, dword ptr fs:[00000030h]	0_2_00E175C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00F96100 mov eax, dword ptr fs:[00000030h]	15_2_00F96100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	15_2_00FE75C0
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00436100 mov eax, dword ptr fs:[00000030h]	29_2_00436100
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FE75C0 mov eax, dword ptr fs:[00000030h]	29_2_00FE75C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB33E0 lstrlenA,GetProcessHeap,HeapAlloc,lstrcpyA,ExitProcess,

0_2_00BB33E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E0315A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E03129 SetUnhandledExceptionFilter,	0_2_00E03129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 15_2_00FD3129 SetUnhandledExceptionFilter,	15_2_00FD3129
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD315A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00FD315A
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Code function: 29_2_00FD3129 SetUnhandledExceptionFilter,	29_2_00FD3129

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe "C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup zonealarm.bit ns1.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\nslookup.exe nslookup ransomware.bit ns2.cloud-name.ru	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB3C80 AllocateAndInitializeSid,GetModuleHandleA,GetProcAddress,FreeSid,

0_2_00BB3C80

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB9680 cpuid

0_2_00BB9680

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E02620 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E02620

Source: C:\Users\user\Desktop\file.exe

0_2_00BB7600

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: dwqocx.exe	Binary or memory string: cmdagent.exe
Source: dwqocx.exe	Binary or memory string: cfp.exe
Source: dwqocx.exe	Binary or memory string: avengine.exe
Source: dwqocx.exe	Binary or memory string: msmpeng.exe
Source: dwqocx.exe	Binary or memory string: AVP.EXE
Source: dwqocx.exe	Binary or memory string: ashDisp.exe
Source: dwqocx.exe	Binary or memory string: avgnt.exe
Source: dwqocx.exe	Binary or memory string: Mcshield.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

ID:	1522724
Product:	CloudBasic
Start time:	16:02:23
Start date:	30.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5027e6b49ab2616a8f08f4c868b90dba
SHA1:	f7bbc4c784fb2a30d8a018b65f2632507335590d
SHA256:	509c5bf724b0d3bc60cdc93c1b0f1e6710cf23edb2293d670cb8bdeaa5ac7e6f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\dwqocx.exe	PE32 executable (GUI) Intel 80386, for MS Windows	792DCCE2F5F5C326C8A2A36E993BB215	376EA88188D9D611B5985C9F8F7A96FCF79E6FF3	BB3662E2CF1E6B1925C65B1304E824E04FF3C337CEA73E671AD76B8A9C79FDA0
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5C326700C8688F1A46A3FD1C88188DDB	C9CBFE61821A3D32A31A7044DBBD17E815A23F02	AA4BF9370306578C43EEAC963241942B8821589FE6F1502D8FFA53F1669ACC2F

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by