Windows Analysis Report
3312.PDF.scr

Overview

General Information

Sample name:	3312.PDF.scr renamed because original name is a hash value
Original sample name:	_i_300924_i_30_09_2024___UA973248410000000026006263312.PDF.scr
Analysis ID:	1523195
MD5:	4e30f8fa403546790a16a9b0e0c72f02
SHA1:	a22f898920194c5e191abfd535fa79ee387fbd8b
SHA256:	c62d2fd76a5742a08db7157ad38b2f0209a11e8e9cc698902dbf366913fae535
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3312.PDF.scr

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\djjergw

Avira: detection malicious, Label: HEUR/AGEN.1312571

Found malware configuration

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}

Multi AV Scanner detection for submitted file

Source: 3312.PDF.scr

Virustotal: Detection: 39%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\djjergw

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 3312.PDF.scr

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 3312.PDF.scr

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\3312.PDF.scr

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 45.143.201.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49739 -> 45.143.201.14:80
Source: Network traffic	Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49738 -> 45.143.201.14:80

Source: Malware configuration extractor	URLs: http://unicexpertmagazine.pw/index.php
Source: Malware configuration extractor	URLs: http://ceoconstractionstore.pl/index.php
Source: Malware configuration extractor	URLs: http://openclehardware.ru/index.php
Source: Malware configuration extractor	URLs: http://informcoopirationunicolceo.ru/index.php

Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mvrswdonrbcmf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 260Host: unicexpertmagazine.pw
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hdfqubgmiehcd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: unicexpertmagazine.pw
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rsswvdbjffron.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 195Host: unicexpertmagazine.pw

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: unicexpertmagazine.pw
Source: global traffic	DNS traffic detected: DNS query: ceoconstractionstore.pl
Source: global traffic	DNS traffic detected: DNS query: openclehardware.ru
Source: global traffic	DNS traffic detected: DNS query: informcoopirationunicolceo.ru
Source: global traffic	DNS traffic detected: DNS query: api.msn.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:35:10 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:35:10 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:36:16 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: nginx/1.18.0date: Tue, 01 Oct 2024 07:36:17 GMTcontent-type: text/html; charset=utf-8transfer-encoding: chunkedData Raw: 31 41 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1A2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0

Source: Yara match	File source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401529
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402FFA RtlCreateUserThread,NtTerminateProcess,	0_2_00402FFA
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401541
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401545
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401553
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402379 NtQuerySystemInformation,	0_2_00402379
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040237B NtQuerySystemInformation,	0_2_0040237B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401534
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DB
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004020EA NtQuerySystemInformation,	0_2_004020EA
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402387 NtQuerySystemInformation,	0_2_00402387
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00402397 NtQuerySystemInformation,	0_2_00402397
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040239B NtQuerySystemInformation,	0_2_0040239B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040239E NtQuerySystemInformation,	0_2_0040239E
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401529
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402FFA RtlCreateUserThread,NtTerminateProcess,	5_2_00402FFA
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401541
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401545
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401553
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402379 NtQuerySystemInformation,	5_2_00402379
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040237B NtQuerySystemInformation,	5_2_0040237B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_00401534
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_004014DB
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004020EA NtQuerySystemInformation,	5_2_004020EA
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402387 NtQuerySystemInformation,	5_2_00402387
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00402397 NtQuerySystemInformation,	5_2_00402397
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040239B NtQuerySystemInformation,	5_2_0040239B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040239E NtQuerySystemInformation,	5_2_0040239E

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00418730		0_2_00418730
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00418730		5_2_00418730

Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1746657492.000000000CA42000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1743054691.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1744674085.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1743420076.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000000.1745816371.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3kI
Source: explorer.exe, 0000000A.00000003.2703383894.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2681117571.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000001.00000000.1742331928.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000001.00000000.1745816371.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/BA
Source: explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 0000000A.00000003.2718077768.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905595416.0000000008020000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707695380.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1743944804.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2904513919.00000000054FF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000003.2705554465.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704102871.0000000008CC7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008C9D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2706757154.0000000008D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000001.00000000.1743944804.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bing.c
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1742331928.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm
Source: explorer.exe, 0000000A.00000003.2664553474.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fgwm-dark
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 0000000A.00000003.2667600786.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.00000000047FE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 0000000A.00000003.2703067682.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705262424.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2712298809.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711027366.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2707506218.0000000008E70000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905595416.0000000008020000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn

Source: 00000005.00000002.2038380670.0000000002160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1761506014.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1761888720.000000000082D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2038193053.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1761540822.00000000006C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000005.00000002.2038289843.000000000060D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.2038416876.0000000002181000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1761578601.00000000006E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: 3312.PDF.scr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: djjergw.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: unknown	Process created: C:\Users\user\Desktop\3312.PDF.scr "C:\Users\user\Desktop\3312.PDF.scr" /S
Source: unknown	Process created: C:\Users\user\AppData\Roaming\djjergw C:\Users\user\AppData\Roaming\djjergw
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 9020
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe

Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: container.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fhcfg.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: efsutil.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.system.userprofile.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cloudexperiencehostbroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsync.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: settingsynccore.dll	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Unpacked PE file: 0.2.3312.PDF.scr.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\djjergw	Unpacked PE file: 5.2.djjergw.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0040237B push 000023C2h; retn 0023h	0_2_0040238B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_004025DC push ebp; ret	0_2_004025FC
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00401284 pushad ; iretd	0_2_00401286
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A2643 push ebp; ret	0_2_006A2663
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A12EB pushad ; iretd	0_2_006A12ED
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A23E2 push 000023C2h; retn 0023h	0_2_006A23F2
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0082D88C push eax; retf	0_2_0082D88D
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00831297 pushad ; iretd	0_2_00831299
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00832DBC push es; retf	0_2_00832DD3
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00837ACF push esp; ret	0_2_00837AD0
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_008344EC push ebx; ret	0_2_008344EF
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0040237B push 000023C2h; retn 0023h	5_2_0040238B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_004025DC push ebp; ret	5_2_004025FC
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00401284 pushad ; iretd	5_2_00401286
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E2643 push ebp; ret	5_2_005E2663
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E12EB pushad ; iretd	5_2_005E12ED
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E23E2 push 000023C2h; retn 0023h	5_2_005E23F2
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0061306C push es; retf	5_2_00613083
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00617D7F push esp; ret	5_2_00617D80
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00611547 pushad ; iretd	5_2_00611549
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0060D7FC push eax; ret	5_2_0060D7FD
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_0061479C push ebx; ret	5_2_0061479F

Source: 3312.PDF.scr	Static PE information: section name: .text entropy: 7.486122419985256
Source: djjergw.1.dr	Static PE information: section name: .text entropy: 7.486122419985256

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Users\user\AppData\Roaming\djjergw	Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\3312.PDF.scr	Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\3312.PDF.scr	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\3312.PDF.scr	API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\djjergw	API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\djjergw	API/Special instruction interceptor: Address: 7FFE2220D584

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 377	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3037	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 735	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1517	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 494	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 470	Jump to behavior

Windows Analysis Report 3312.PDF.scr

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
3312.PDF.scr

Malware Threat Intel
Provided by

Source: C:\Windows\explorer.exe TID: 3752	Thread sleep count: 377 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep count: 3037 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep time: -303700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep count: 735 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2056	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2004	Thread sleep count: 281 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2932	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep count: 346 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep time: -34600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep count: 1517 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3992	Thread sleep time: -151700s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_00418730 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418971h		0_2_00418730
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_00418730 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418971h		5_2_00418730

Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000000.1743944804.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2725520938.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2905935716.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2705554465.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2718077768.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008DD7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2704520251.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2703383894.0000000008D93000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2711340708.0000000008D93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000003.2703285048.0000000008DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000IO
Source: explorer.exe, 0000000A.00000003.2772623817.000000000B73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}xe@
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\v
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: en_NECVMWar&Prod_VMware_0
Source: explorer.exe, 0000000A.00000002.2905935716.0000000008D46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000003.2749269947.000000000B7ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000A.00000003.2791404151.000000000B772000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1742331928.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\xe=
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\xe
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xe
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000001.00000000.1742331928.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exeP
Source: explorer.exe, 00000001.00000000.1743944804.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2703285048.0000000008DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oneNECVMWar VMware SATA CD00eswindir=C:\Windol&
Source: explorer.exe, 00000001.00000000.1744477786.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 0000000A.00000002.2905935716.0000000008D46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000D&
Source: explorer.exe, 0000000A.00000003.2792005844.000000000B7EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 0000000A.00000002.2901365364.00000000047FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Countercss.dll+0x191e6
Source: explorer.exe, 0000000A.00000003.2772623817.000000000B73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000M
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}xeL
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1744477786.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
Source: explorer.exe, 0000000A.00000003.2731692731.000000000B7BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 0000000A.00000003.2757395584.000000000B84D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}9507e
Source: explorer.exe, 0000000A.00000002.2901365364.00000000048C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}exe
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2745342068.000000000B84E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\-
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\3312.PDF.scr	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Roaming\djjergw	Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\3312.PDF.scr	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A092B mov eax, dword ptr fs:[00000030h]	0_2_006A092B
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_006A0D90 mov eax, dword ptr fs:[00000030h]	0_2_006A0D90
Source: C:\Users\user\Desktop\3312.PDF.scr	Code function: 0_2_0082FE4F push dword ptr fs:[00000030h]	0_2_0082FE4F
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E092B mov eax, dword ptr fs:[00000030h]	5_2_005E092B
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_005E0D90 mov eax, dword ptr fs:[00000030h]	5_2_005E0D90
Source: C:\Users\user\AppData\Roaming\djjergw	Code function: 5_2_006100FF push dword ptr fs:[00000030h]	5_2_006100FF

Source: C:\Users\user\Desktop\3312.PDF.scr	Thread created: C:\Windows\explorer.exe EIP: 34419F0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Thread created: unknown EIP: 87C19F0			Jump to behavior

Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\3312.PDF.scr	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djjergw	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: explorer.exe, 0000000A.00000002.2901365364.0000000004875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2667600786.0000000004875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2671116139.0000000004875000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd29B%
Source: explorer.exe, 00000001.00000000.1742161033.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1743944804.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2901365364.00000000048BA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2904441386.0000000004BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.2898393777.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0Progman
Source: explorer.exe, 00000001.00000000.1740976335.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1741168127.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager