Windows Analysis Report
JIar3KCVf6.exe

Overview

General Information

Sample name: JIar3KCVf6.exe
renamed because original name is a hash value
Original sample name: 9097ab2b2b71f3ea0cf8c9271224b6227e9aa2545ae23d4621f122bdb99c77b8.exe
Analysis ID: 1524364
MD5: 54416fc42afa9b09ea7e8d8e318f4891
SHA1: 8c924431049191e763a14503517a9583f070fdeb
SHA256: 9097ab2b2b71f3ea0cf8c9271224b6227e9aa2545ae23d4621f122bdb99c77b8
Tags: exeRhysidauser-JAMESWT_MHT
Infos:

Detection

Rhysida
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Rhysida Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Stores files to the Windows start menu directory
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: JIar3KCVf6.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: JIar3KCVf6.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: JIar3KCVf6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error1e source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.rhysidaaU source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.rhysidasida._ source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb/j\j source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: ERROR rename file C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb to C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida -1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb# source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.errorda-v^a source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdbtkda source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbN@Ee source: JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb0-3dc6d7aa0P source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\**ory\*\**at source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbda*} source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342327773.00000000040E1000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341056162.0000000003EED000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334666942.0000000003B84000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334736338.0000000003BAA000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334859112.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345125210.0000000004300000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340523377.0000000003D89000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342467734.000000000411B000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345880314.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb2r3b source: JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:/support/logging/oobeldretw.dllndows.cortana.desktop-repl.mant.manmanent.mann339E3FA1AC2/winload_prod.pdbsferApi/73e95c97-d13d-4e4d-a445-357cf0e165a8.up_meta_body60-9B4EC72739D8}6ed66a2BDD97BB04_143ca0f173d46ed66a2a69d2085a72ec4cC68D6DECEZtEl source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~ source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.rhysidaysida source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: ERROR rename file C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error to C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida -1 source: ConDrv.0.dr
Source: Binary string: Current dir entry ntkrnlmp.pdb source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbperi source: JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbQ source: JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.rhysidaaaV}Dae source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdbkata source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbe source: JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb3jHj source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdb[x+m source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbPdRh source: JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbMx9m source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.rhysidadat}j<a. source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.rhysida source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342327773.00000000040E1000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341056162.0000000003EED000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334666942.0000000003B84000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334736338.0000000003BAA000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334859112.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345125210.0000000004300000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340523377.0000000003D89000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342467734.000000000411B000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345880314.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.erroridadaH_Ua source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysidaidaa* source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.rhysida1.jsa source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbM source: JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbj source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.errorock source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdb! source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbiy%j source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 339E3FA1AC2/winload_prod.pdb source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Current dir entry winload_prod.pdb source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb7 source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbch source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbA source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbc81a source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbE source: JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.rhysida5.log source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbC< source: JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysidaOG1ida6*Aa/ source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbY source: JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbM1 source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~,b source: JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbg source: JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbl source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 4x nop then jmp 004309D0h 0_2_0041E423
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 4x nop then lea r8, qword ptr [0000000000461F00h] 0_2_0042D0D0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 4x nop then lea r8, qword ptr [0000000000460EA0h] 0_2_00428F60
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 4x nop then lea r8, qword ptr [00000000004618E0h] 0_2_0042BF10

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Rhysida Ransomware
Source: Yara match File source: JIar3KCVf6.exe, type: SAMPLE
Source: Yara match File source: Process Memory Space: JIar3KCVf6.exe PID: 3536, type: MEMORYSTR
Source: Yara match File source: \Device\ConDrv, type: DROPPED
Changes the wallpaper picture
Source: C:\Windows\System32\reg.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\Public\bg.jpg
Writes many files with high entropy
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.rhysida entropy: 7.99828054912 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Sideload\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\IdentityCRL\production\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Network\Downloader\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Network\Connections\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Settings\Accounts\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Search\Data\Applications\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\User Account Pictures\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Support\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\$WinREAgent\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\$WinREAgent\Scratch\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Features\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Adobe\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Security Health\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Adobe\ARM\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Packages\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cy-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ar-SA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\ssh\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cs-CZ\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\dbg\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\USOShared\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\Public\Pictures\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Templates\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\as-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\Public\Documents\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSScan\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\Public\Desktop\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.rhysida entropy: 7.99758890325 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\am-ET\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\AppV\Setup\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\Public\Music\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\da-DK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\Public\Videos\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\regid.1991-06.com.microsoft\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\af-ZA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\AppV\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hr-HR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Device Stage\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\eu-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\Keys\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bg-BG\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\DSS\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bn-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log.rhysida entropy: 7.99679366813 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.rhysida entropy: 7.99718849198 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.rhysida entropy: 7.99688957973 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.rhysida entropy: 7.9971569999 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.rhysida entropy: 7.99969698694 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\el-GR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fa-IR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\RSA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\km-KH\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DeviceSync\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\id-ID\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fil-PH\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DRM\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fi-FI\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\DRM\Server\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\et-EE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\EdgeUpdate\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\MapData\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.rhysida entropy: 7.99971458383 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.rhysida entropy: 7.99952891501 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.rhysida entropy: 7.99839687247 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.rhysida entropy: 7.99851361143 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.rhysida entropy: 7.99473982398 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\is-IS\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-CA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Provisioning\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\IdentityCRL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-MX\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\IdentityCRL\INT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\he-IL\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\MF\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hu-HU\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\NetFramework\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gl-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Network\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Search\Data\Temp\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ga-IE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Spectrum\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gd-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Office\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.rhysida entropy: 7.99487720258 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.privacy.json.rhysida entropy: 7.99557933577 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.rhysida entropy: 7.99907591405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.rhysida entropy: 7.99760329396 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.rhysida entropy: 7.99692117382 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gu-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Speech_OneCore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hi-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Search\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Search\Data\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mk-MK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Storage Health\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kk-KZ\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Settings\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ka-GE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\SmsRouter\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ml-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\lv-LV\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\UEV\Templates\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\UEV\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\UEV\Scripts\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\WDF\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Vault\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\SoftwareDistribution\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\WinMSIPC\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\WinMSIPC\Server\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\WwanSvc\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft OneDrive\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft OneDrive\setup\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Package Cache\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\WindowsHolographicDevices\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\USOShared\Logs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\USOShared\Logs\User\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\UserData\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\SystemKeys\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Device Stage\Device\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Device Stage\Task\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\CriticalBreachDetected.pdf entropy: 7.99213908405 Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00425D30 0_2_00425D30
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043E8F0 0_2_0043E8F0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043D8F0 0_2_0043D8F0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00430080 0_2_00430080
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0041B0B0 0_2_0041B0B0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043F0B0 0_2_0043F0B0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00431930 0_2_00431930
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_004491C0 0_2_004491C0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00424A70 0_2_00424A70
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00438AD0 0_2_00438AD0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0041D290 0_2_0041D290
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00432350 0_2_00432350
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0042DB70 0_2_0042DB70
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00442310 0_2_00442310
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00436330 0_2_00436330
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_004253F0 0_2_004253F0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00431930 0_2_00431930
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00426C30 0_2_00426C30
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0042D7C0 0_2_0042D7C0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0041B480 0_2_0041B480
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00429D60 0_2_00429D60
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00424560 0_2_00424560
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043D560 0_2_0043D560
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0044AD70 0_2_0044AD70
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043F530 0_2_0043F530
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0041C5C0 0_2_0041C5C0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0040E5F2 0_2_0040E5F2
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0043DDF0 0_2_0043DDF0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00436DF0 0_2_00436DF0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0042FDB0 0_2_0042FDB0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00438640 0_2_00438640
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00431E50 0_2_00431E50
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00436E60 0_2_00436E60
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00442EC0 0_2_00442EC0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0042D7A0 0_2_0042D7A0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00442680 0_2_00442680
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0044A6B0 0_2_0044A6B0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_0042C770 0_2_0042C770
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: 0_2_00433F70 0_2_00433F70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: String function: 00449EB0 appears 46 times
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: String function: 0044B2C0 appears 40 times
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Code function: String function: 0041F850 appears 252 times
PE file contains more sections than normal
Source: JIar3KCVf6.exe Static PE information: Number of sections : 17 > 10
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
Source: classification engine Classification label: mal84.rans.winEXE@51/341@0/0
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\CriticalBreachDetected.pdf Jump to behavior
Source: JIar3KCVf6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: JIar3KCVf6.exe ReversingLabs: Detection: 76%
Source: JIar3KCVf6.exe String found in binary or memory: -startinfo
Source: JIar3KCVf6.exe String found in binary or memory: -StartupInfo
Source: JIar3KCVf6.exe String found in binary or memory: -startinfo
Source: JIar3KCVf6.exe String found in binary or memory: F-startinfo
Source: JIar3KCVf6.exe String found in binary or memory: -StartupInfo
Source: JIar3KCVf6.exe String found in binary or memory: g-StartupInfo
Source: unknown Process created: C:\Users\user\Desktop\JIar3KCVf6.exe "C:\Users\user\Desktop\JIar3KCVf6.exe"
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: JIar3KCVf6.exe Static file information: File size 1261752 > 1048576
Source: JIar3KCVf6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error1e source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.rhysidaaU source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.rhysidasida._ source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb/j\j source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: ERROR rename file C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb to C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida -1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb# source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.errorda-v^a source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdbtkda source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbN@Ee source: JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb0-3dc6d7aa0P source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\**ory\*\**at source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbda*} source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342327773.00000000040E1000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341056162.0000000003EED000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334666942.0000000003B84000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334736338.0000000003BAA000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334859112.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345125210.0000000004300000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340523377.0000000003D89000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342467734.000000000411B000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345880314.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb2r3b source: JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:/support/logging/oobeldretw.dllndows.cortana.desktop-repl.mant.manmanent.mann339E3FA1AC2/winload_prod.pdbsferApi/73e95c97-d13d-4e4d-a445-357cf0e165a8.up_meta_body60-9B4EC72739D8}6ed66a2BDD97BB04_143ca0f173d46ed66a2a69d2085a72ec4cC68D6DECEZtEl source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~ source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.rhysidaysida source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: ERROR rename file C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error to C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida -1 source: ConDrv.0.dr
Source: Binary string: Current dir entry ntkrnlmp.pdb source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbperi source: JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbQ source: JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.rhysidaaaV}Dae source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdbkata source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbe source: JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb3jHj source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdb[x+m source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbPdRh source: JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/winload_prod.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbMx9m source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.rhysidadat}j<a. source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.rhysida source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340714444.0000000003DF7000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342327773.00000000040E1000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341056162.0000000003EED000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334666942.0000000003B84000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334736338.0000000003BAA000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341625393.0000000003FA4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334859112.0000000003BE9000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345125210.0000000004300000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4340523377.0000000003D89000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4339441992.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4342467734.000000000411B000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4345880314.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341435009.0000000003F36000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4335624423.0000000003C28000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.erroridadaH_Ua source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysidaidaa* source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.rhysida1.jsa source: JIar3KCVf6.exe, 00000000.00000002.4330582634.000000000090C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbM source: JIar3KCVf6.exe, 00000000.00000002.4344534870.000000000427F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdbj source: JIar3KCVf6.exe, 00000000.00000002.4345542087.00000000043DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.errorock source: JIar3KCVf6.exe, 00000000.00000002.4341853388.000000000403B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ntkrnlmp.pdb! source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbiy%j source: JIar3KCVf6.exe, 00000000.00000002.4341822842.0000000004029000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 339E3FA1AC2/winload_prod.pdb source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: Current dir entry winload_prod.pdb source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2/download.error.rhysida source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdb7 source: JIar3KCVf6.exe, 00000000.00000002.4345401884.00000000043A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbch source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbA source: JIar3KCVf6.exe, 00000000.00000002.4337033164.0000000003C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbc81a source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbE source: JIar3KCVf6.exe, 00000000.00000002.4341988435.000000000408C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb.rhysida5.log source: JIar3KCVf6.exe, 00000000.00000002.4330582634.0000000000947000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb entries 1 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbC< source: JIar3KCVf6.exe, 00000000.00000002.4340848911.0000000003E61000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/Local Settings/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/download.error.rhysidaOG1ida6*Aa/ source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbY source: JIar3KCVf6.exe, 00000000.00000002.4343588161.00000000041F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ERROR open file_to_crypt C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysida source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbM1 source: JIar3KCVf6.exe, 00000000.00000002.4341954989.0000000004063000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb~,b source: JIar3KCVf6.exe, 00000000.00000002.4345236557.000000000434E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831 entries 2 source: ConDrv.0.dr
Source: Binary string: Directory C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2 entries 2 source: ConDrv.0.dr
Source: Binary string: winload_prod.pdbg source: JIar3KCVf6.exe, 00000000.00000002.4342872496.000000000417C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbl source: JIar3KCVf6.exe, 00000000.00000002.4345756552.0000000004C92000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
PE file contains sections with non-standard names
Source: JIar3KCVf6.exe Static PE information: section name: .xdata
Source: JIar3KCVf6.exe Static PE information: section name: /4
Source: JIar3KCVf6.exe Static PE information: section name: /19
Source: JIar3KCVf6.exe Static PE information: section name: /31
Source: JIar3KCVf6.exe Static PE information: section name: /45
Source: JIar3KCVf6.exe Static PE information: section name: /57
Source: JIar3KCVf6.exe Static PE information: section name: /70
Source: JIar3KCVf6.exe Static PE information: section name: /81
Source: JIar3KCVf6.exe Static PE information: section name: /92

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\JIar3KCVf6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\JIar3KCVf6.exe Window / User API: threadDelayed 7106 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 5228 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3087
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6655
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JIar3KCVf6.exe TID: 7156 Thread sleep time: -71060s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6944 Thread sleep time: -12912720851596678s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: JIar3KCVf6.exe, 00000000.00000003.4296825900.00000000029F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-drivers-migration-replacement.manw5n1h2txyewy/LocalState/ContentManagementSDK/Creatives/280815/imprbeacons.datf4149c624e1f9ff93c886f3321ad_1A8E}_AutoIt3_AutoIt_chm411C1E69BDD97BB04Apprule703500v0.xmlWNMx
Source: JIar3KCVf6.exe, 00000000.00000002.4345460475.00000000043BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000002.4345460475.00000000043BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-migration-replacement.man1-47d7-afa5-30f752dc978blState/Assets/c4d0028eef040a7ffac470afe683d9cdcc1cbec1a0a32156f64ec8d93ea2b3bd}_AutoIt3_AutoItX_AutoItX_chmtertrie.intermediate.txtFAEF8289v0.xmlv0.xmlS
Source: JIar3KCVf6.exe, 00000000.00000002.4345460475.00000000043BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000003.4296825900.00000000029F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-drivers-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000003.4296661450.00000000025B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-client-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000003.4297395227.0000000002E35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-migration-replacement.man
Source: JIar3KCVf6.exe, 00000000.00000002.4345460475.00000000043BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-migration-replacement.mana
Source: JIar3KCVf6.exe, 00000000.00000003.4296661450.00000000025B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: D:/sources/replacementmanifests/microsoft-hyper-v-client-migration-replacement.man/AppCache/MOJJRSYN/7/tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js0091/imprbeacons.dat538f65}/settingsconversions.txtte.txtows_immersivecontrolpanelgs.csg0.xmlrule70502v0.xml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "C:\Users\user\Desktop\C:\Users\user\Desktop\JIar3KCVf6.exe" -ErrorAction SilentlyContinue;
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
AV process strings found (often used to terminate AV products)
Source: JIar3KCVf6.exe, 00000000.00000002.4334040350.0000000003A22000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000003.4298090769.000000000346E000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000003.4297030473.0000000003AB6000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000003.4296390955.000000000268B000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4333991092.00000000039FB000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000003.4297352481.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4334118520.0000000003A44000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4333792167.00000000039B4000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4331518145.0000000002C80000.00000004.00000020.00020000.00000000.sdmp, JIar3KCVf6.exe, 00000000.00000002.4331377010.000000000268B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524364 Sample: JIar3KCVf6.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 84 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Rhysida Ransomware 2->70 72 AI detected suspicious sample 2->72 9 JIar3KCVf6.exe 291 2->9         started        process3 file4 58 \Device\ConDrv, ASCII 9->58 dropped 60 C:\Users\...\CriticalBreachDetected.pdf, PDF 9->60 dropped 62 C:\Users\...\CriticalBreachDetected.pdf, PDF 9->62 dropped 64 306 other files (305 malicious) 9->64 dropped 80 Writes many files with high entropy 9->80 13 cmd.exe 1 9->13         started        16 cmd.exe 9->16         started        18 cmd.exe 9->18         started        20 8 other processes 9->20 signatures5 process6 signatures7 82 Suspicious powershell command line found 13->82 84 Uses cmd line tools excessively to alter registry or file data 13->84 22 cmd.exe 1 13->22         started        25 cmd.exe 16->25         started        27 cmd.exe 18->27         started        29 cmd.exe 1 20->29         started        31 cmd.exe 1 20->31         started        33 cmd.exe 20->33         started        35 4 other processes 20->35 process8 signatures9 37 reg.exe 1 22->37         started        74 Uses cmd line tools excessively to alter registry or file data 25->74 39 reg.exe 25->39         started        76 Suspicious powershell command line found 27->76 42 powershell.exe 27->42         started        44 reg.exe 1 29->44         started        46 reg.exe 1 1 31->46         started        48 reg.exe 33->48         started        50 reg.exe 35->50         started        52 reg.exe 35->52         started        54 reg.exe 35->54         started        process10 signatures11 78 Changes the wallpaper picture 39->78 56 conhost.exe 42->56         started        process12
No contacted IP infos