Windows Analysis Report
bgsTrRPJh0.exe

Overview

General Information

Sample name: bgsTrRPJh0.exe
renamed because original name is a hash value
Original sample name: 2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759.exe
Analysis ID: 1543072
MD5: 7c62976c8d0e7434b327ce3c402d8a62
SHA1: 0d91b68c7b1a1fb5471258591676fcf89025e238
SHA256: 2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759
Tags: BlackBastaexeuser-JAMESWT_MHT
Infos:

Detection

BlackBasta
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Drops executable to a common third party application directory
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Potential evasive VBS script found (sleep loop)
Potential evasive VBS script found (use of timer() function in loop)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Black Basta "Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: bgsTrRPJh0.exe Virustotal: Detection: 72% Perma Link
Source: bgsTrRPJh0.exe ReversingLabs: Detection: 71%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: bgsTrRPJh0.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028BEC50 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy, 10_2_028BEC50
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028BF220 CryptReleaseContext, 10_2_028BF220
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028BF330 CryptGenRandom,CryptReleaseContext, 10_2_028BF330
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292EC50 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy, 14_2_0292EC50
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292F220 CryptReleaseContext, 14_2_0292F220
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292F330 CryptGenRandom,CryptReleaseContext, 14_2_0292F330
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0299A720 CryptReleaseContext, 14_2_0299A720
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292EDB0 CryptAcquireContextA,GetLastError,CryptReleaseContext, 14_2_0292EDB0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292F190 CryptGenRandom, 14_2_0292F190
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0292F150 CryptReleaseContext, 14_2_0292F150

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Unpacked PE file: 10.2.bgsTrRPJh0.exe.2880000.1.unpack
Uses 32bit PE files
Source: bgsTrRPJh0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txt Jump to behavior
Source: bgsTrRPJh0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: bgsTrRPJh0.exe
Source: Binary string: AppVISVSubsystems64.pdbGCTL source: AppvIsvSubsystems64.dll.0.dr
Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.0.dr
Source: Binary string: AppVISVSubsystems64.pdb source: AppvIsvSubsystems64.dll.0.dr
Source: Binary string: AppVShNotify.pdb source: AppVShNotify.exe.0.dr
Source: Binary string: >rome_proxy.exe.pdb source: chrome_proxy.exe.0.dr
Source: Binary string: mavinject32.pdb source: MavInject32.exe.0.dr
Source: Binary string: $pe.pdb source: pe.dll.0.dr
Source: Binary string: AppVShNotify.pdbGCTL source: AppVShNotify.exe.0.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7-zip.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7z.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7-zip32.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\libGLESv2.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019617C FindFirstFileExW, 10_2_0019617C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 10_2_0014E510
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00196566
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0288CB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 10_2_0288CB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0019617C FindFirstFileExW, 14_2_0019617C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 14_2_0014E510
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 14_2_00196566
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FCB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 14_2_028FCB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02988602 FindFirstFileExW, 14_2_02988602
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FC4DE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Thrd_sleep,__Mtx_unlock, 14_2_028FC4DE

Networking
barindex
Found Tor onion address
Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe String found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd *!* To access .onion websites downlo
Source: bgsTrRPJh0.exe String found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo
Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558935200.00000000025D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe String found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd *!* To access .onion websites downlo
Source: bgsTrRPJh0.exe String found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo
Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653485581.0000000000B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt74.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt236.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt169.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt85.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt3.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt170.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt33.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt60.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt89.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt132.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt82.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt2.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt148.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: pe.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: pe.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampi
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://crl3.digicert
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pe.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeS
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pe.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: pe.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: pe.dll.0.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: pe.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts
Source: AppvIsvSubsystems64.dll.0.dr String found in binary or memory: http://file://sftldr.dll
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: pe.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chrome_proxy.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: pe.dll.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000002.1653485581.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: pe.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bgsTrRPJh0.exe String found in binary or memory: https://www.flos-freeware.ch
Source: bgsTrRPJh0.exe String found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
Source: bgsTrRPJh0.exe String found in binary or memory: https://www.rizonesoft.com
Source: bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.dr String found in binary or memory: https://www.torproject.org/
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_0014BF90
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_0014BF90
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 14_2_0014BF90
Installs a raw input device (often for capturing keystrokes)
Source: AutoIt.chm.0.dr Binary or memory string: ./html/libfunctions/_WinAPI_GetRawInputData.ht memstr_2d35a436-2

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\instructions_read_me.txt Dropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat. Jump to dropped file
Yara detected BlackBasta ransomware
Source: Yara match File source: 14.2.bgsTrRPJh0.exe.28f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bgsTrRPJh0.exe.3150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.bgsTrRPJh0.exe.28f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.bgsTrRPJh0.exe.27a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bgsTrRPJh0.exe.2880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.bgsTrRPJh0.exe.2880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.bgsTrRPJh0.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.bgsTrRPJh0.exe.2810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.bgsTrRPJh0.exe.2810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.bgsTrRPJh0.exe.3150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: bgsTrRPJh0.exe PID: 7396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bgsTrRPJh0.exe PID: 8092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bgsTrRPJh0.exe PID: 6920, type: MEMORYSTR
Deletes shadow drive data (may be related to ransomware)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 00000003.00000002.1354752642.00000000031D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWS0
Source: cmd.exe, 00000003.00000002.1354752642.00000000031D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet@8
Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet8
Source: cmd.exe, 00000003.00000002.1352958977.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000003.00000002.1352958977.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
Source: vssadmin.exe, 00000005.00000002.1350484719.0000025B1B355000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 00000005.00000002.1349256268.0000025B1AFF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000005.00000002.1349256268.0000025B1AFF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietO
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558555497.00000000003A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.1556887958.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWS
Source: cmd.exe, 0000000B.00000002.1556887958.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.1556583369.0000000003040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.1556583369.0000000003040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 0000000D.00000002.1555747148.000001DFECA85000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC888000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006380- TID: 00006420- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: user-PC\user, SID:S-1-5-21-2246122658-3693405117-2476756634-1003
Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default<\R
Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietx\RL
Source: bgsTrRPJh0.exe Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653008057.00000000008B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet~
Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 0000000F.00000002.1641110489.0000000003500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWSQj
Source: cmd.exe, 0000000F.00000002.1641110489.0000000003500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.1639691767.0000000003130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.1639691767.0000000003130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default,
Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quieth
Source: vssadmin.exe, 00000011.00000002.1635706109.000001A0F64B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietj
Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F627A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007320- TID: 00007348- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: user-PC\user, SID:S-1-5-21-2246122658-3693405117-2476756634-1003
Drops a file containing file decryption instructions (likely related to ransomware)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\$WinREAgent\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\PerfLogs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files (x86)\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\ProgramData\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\$WinREAgent\Scratch\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
May disable shadow drive data (uses vssadmin)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\Users\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\$WinREAgent\Scratch\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File dropped: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00134B90 10_2_00134B90
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00164270 10_2_00164270
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0017A2A4 10_2_0017A2A4
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001783C6 10_2_001783C6
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001646B0 10_2_001646B0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0017A6C5 10_2_0017A6C5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001A86E0 10_2_001A86E0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0017870E 10_2_0017870E
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014A930 10_2_0014A930
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00178A65 10_2_00178A65
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0017AAF5 10_2_0017AAF5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019EBAA 10_2_0019EBAA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00178DAD 10_2_00178DAD
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00190FE2 10_2_00190FE2
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00149100 10_2_00149100
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0017913B 10_2_0017913B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0016119A 10_2_0016119A
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001794D8 10_2_001794D8
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00179866 10_2_00179866
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00159A51 10_2_00159A51
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00179BCB 10_2_00179BCB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019BC04 10_2_0019BC04
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00161C71 10_2_00161C71
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00163CF0 10_2_00163CF0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019FEDC 10_2_0019FEDC
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00157F03 10_2_00157F03
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00179F3F 10_2_00179F3F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0288CB00 10_2_0288CB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028835D0 10_2_028835D0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028D03F0 10_2_028D03F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028DA0C0 10_2_028DA0C0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_029001BC 10_2_029001BC
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_029161D9 10_2_029161D9
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028AA150 10_2_028AA150
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0288E161 10_2_0288E161
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00134B90 14_2_00134B90
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00164270 14_2_00164270
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0017A2A4 14_2_0017A2A4
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001783C6 14_2_001783C6
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001646B0 14_2_001646B0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0017A6C5 14_2_0017A6C5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001A86E0 14_2_001A86E0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0017870E 14_2_0017870E
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0014A930 14_2_0014A930
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00178A65 14_2_00178A65
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0017AAF5 14_2_0017AAF5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0019EBAA 14_2_0019EBAA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00178DAD 14_2_00178DAD
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00190FE2 14_2_00190FE2
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00149100 14_2_00149100
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0017913B 14_2_0017913B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0016119A 14_2_0016119A
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001794D8 14_2_001794D8
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00179866 14_2_00179866
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00159A51 14_2_00159A51
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00179BCB 14_2_00179BCB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0019BC04 14_2_0019BC04
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00161C71 14_2_00161C71
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00163CF0 14_2_00163CF0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0019FEDC 14_2_0019FEDC
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00157F03 14_2_00157F03
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00179F3F 14_2_00179F3F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FCB00 14_2_028FCB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029403F0 14_2_029403F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0294A0C0 14_2_0294A0C0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029701BC 14_2_029701BC
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029861D9 14_2_029861D9
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0291A150 14_2_0291A150
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FE161 14_2_028FE161
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02932680 14_2_02932680
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0298067C 14_2_0298067C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FC4DE 14_2_028FC4DE
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0294A5C0 14_2_0294A5C0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0297054A 14_2_0297054A
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02940B80 14_2_02940B80
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02974BD0 14_2_02974BD0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0296681C 14_2_0296681C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0291AE20 14_2_0291AE20
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0298CCC3 14_2_0298CCC3
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0291EDB0 14_2_0291EDB0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02932D00 14_2_02932D00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0297D385 14_2_0297D385
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0293F380 14_2_0293F380
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029413B4 14_2_029413B4
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029773A8 14_2_029773A8
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029113E0 14_2_029113E0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02979350 14_2_02979350
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0293D0B0 14_2_0293D0B0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02941190 14_2_02941190
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029496B0 14_2_029496B0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0297B60A 14_2_0297B60A
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029157F0 14_2_029157F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0298B460 14_2_0298B460
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_029355B0 14_2_029355B0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028F35D0 14_2_028F35D0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028F1510 14_2_028F1510
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00153EC0 appears 128 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00132D20 appears 32 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00193236 appears 108 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 02905D90 appears 34 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00195C37 appears 72 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00192068 appears 38 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 02962275 appears 56 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00132AD0 appears 46 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 02962242 appears 72 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 00132CC0 appears 38 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 02962320 appears 45 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 0296147D appears 51 times
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: String function: 001329E0 appears 34 times
Sample file is different than original file name gathered from version info
Source: bgsTrRPJh0.exe, 00000000.00000000.1298020417.0000000000295000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
Source: bgsTrRPJh0.exe, 0000000A.00000000.1472969717.0000000000295000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
Source: bgsTrRPJh0.exe, 0000000E.00000000.1563242697.0000000000295000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
Source: bgsTrRPJh0.exe Binary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
Uses 32bit PE files
Source: bgsTrRPJh0.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC888000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HEXT=.COM;.EXE;.BAT;.CMD;.VBP
Source: classification engine Classification label: mal100.rans.spre.evad.winEXE@18/1723@0/0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00142F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree, 10_2_00142F30
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00146080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW, 10_2_00146080
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0015144D LoadResource, 10_2_0015144D
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0290F660 GetTickCount,GetTickCount,OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,CloseServiceHandle,QueryServiceStatusEx,Sleep,QueryServiceStatusEx,GetTickCount,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,GetTickCount,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 14_2_0290F660
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Mutant created: \Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File created: C:\Users\user~1\AppData\Local\Temp\fkdjsadasd.ico Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: *.* 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: TaskbarCreated 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: 333 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: MiniPath 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: *.* 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: TaskbarCreated 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: 333 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: MiniPath 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: *.* 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: TaskbarCreated 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: 333 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: MiniPath 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: *.* 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: TaskbarCreated 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: 333 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Command line argument: MiniPath 14_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File read: C:\Program Files\Mozilla Firefox\crashreporter.ini Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: bgsTrRPJh0.exe Virustotal: Detection: 72%
Source: bgsTrRPJh0.exe ReversingLabs: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Section loaded: ????????????.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\7-Zip\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txt Jump to behavior
Source: bgsTrRPJh0.exe Static file information: File size 2026496 > 1048576
Source: bgsTrRPJh0.exe Static PE information: section name: RT_CURSOR
Source: bgsTrRPJh0.exe Static PE information: section name: RT_BITMAP
Source: bgsTrRPJh0.exe Static PE information: section name: RT_ICON
Source: bgsTrRPJh0.exe Static PE information: section name: RT_MENU
Source: bgsTrRPJh0.exe Static PE information: section name: RT_DIALOG
Source: bgsTrRPJh0.exe Static PE information: section name: RT_STRING
Source: bgsTrRPJh0.exe Static PE information: section name: RT_ACCELERATOR
Source: bgsTrRPJh0.exe Static PE information: section name: RT_GROUP_ICON
Source: bgsTrRPJh0.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: bgsTrRPJh0.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: bgsTrRPJh0.exe
Source: Binary string: AppVISVSubsystems64.pdbGCTL source: AppvIsvSubsystems64.dll.0.dr
Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.0.dr
Source: Binary string: AppVISVSubsystems64.pdb source: AppvIsvSubsystems64.dll.0.dr
Source: Binary string: AppVShNotify.pdb source: AppVShNotify.exe.0.dr
Source: Binary string: >rome_proxy.exe.pdb source: chrome_proxy.exe.0.dr
Source: Binary string: mavinject32.pdb source: MavInject32.exe.0.dr
Source: Binary string: $pe.pdb source: pe.dll.0.dr
Source: Binary string: AppVShNotify.pdbGCTL source: AppVShNotify.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Unpacked PE file: 10.2.bgsTrRPJh0.exe.2880000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014A370 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW, 10_2_0014A370
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001A9A81 push ecx; ret 10_2_001A9A94
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001C3C9B push edi; retf 10_2_001C3C9C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00153F10 push ecx; ret 10_2_00153F23
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028F221F push ecx; ret 10_2_028F2232
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001A9A81 push ecx; ret 14_2_001A9A94
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001C3C9B push edi; retf 14_2_001C3C9C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00153F10 push ecx; ret 14_2_00153F23
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0296221F push ecx; ret 14_2_02962232
Source: bgsTrRPJh0.exe Static PE information: section name: .data entropy: 7.703272639276241

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libGLESv2.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libGLESv2.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe File written: C:\Program Files\Mozilla Firefox\libGLESv2.dll Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7-zip.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7z.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\lgpllibs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7-zip32.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\gkcodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\libGLESv2.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\freebl3.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\Mozilla Firefox\libEGL.dll Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skype Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Skype Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00150030 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW, 10_2_00150030
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_001505C0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree, 10_2_001505C0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00150C10 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 10_2_00150C10
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00149100 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups, 10_2_00149100
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014DAEB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 10_2_0014DAEB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00150030 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW, 14_2_00150030
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_001505C0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree, 14_2_001505C0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00150C10 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 14_2_00150C10
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00149100 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups, 14_2_00149100
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0014DAEB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 14_2_0014DAEB
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028DE145 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_028DE145
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Dropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100 Jump to dropped file
Potential evasive VBS script found (use of timer() function in loop)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Dropped file: Do While objScriptEg>0uYjQtcrI22n_f"ZJWGU If iTimer = 50 Then Jump to dropped file
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Dropped file: Do While objScriptExec.Status = 0a&w0hW+F&~;D2k-6;8WW If iTimer = 50 Then Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Window / User API: threadDelayed 4658 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe API coverage: 4.2 %
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe API coverage: 3.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe TID: 7884 Thread sleep count: 150 > 30 Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe TID: 7400 Thread sleep count: 4658 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019617C FindFirstFileExW, 10_2_0019617C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 10_2_0014E510
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00196566
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0288CB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 10_2_0288CB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0019617C FindFirstFileExW, 14_2_0019617C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 14_2_0014E510
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 14_2_00196566
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FCB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 14_2_028FCB00
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02988602 FindFirstFileExW, 14_2_02988602
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_028FC4DE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Thrd_sleep,__Mtx_unlock, 14_2_028FC4DE
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0015261D VirtualQuery,GetSystemInfo, 10_2_0015261D
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exe
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exeH
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exeG
Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice>
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice|
Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00180F9D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0014A370 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW, 10_2_0014A370
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0018AB08 mov ecx, dword ptr fs:[00000030h] 10_2_0018AB08
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193CBB mov eax, dword ptr fs:[00000030h] 10_2_00193CBB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193CFE mov eax, dword ptr fs:[00000030h] 10_2_00193CFE
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193D41 mov eax, dword ptr fs:[00000030h] 10_2_00193D41
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193D9C mov eax, dword ptr fs:[00000030h] 10_2_00193D9C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193E62 mov eax, dword ptr fs:[00000030h] 10_2_00193E62
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193EA6 mov eax, dword ptr fs:[00000030h] 10_2_00193EA6
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193EEA mov eax, dword ptr fs:[00000030h] 10_2_00193EEA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00193F1B mov eax, dword ptr fs:[00000030h] 10_2_00193F1B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0018AB08 mov ecx, dword ptr fs:[00000030h] 14_2_0018AB08
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193CBB mov eax, dword ptr fs:[00000030h] 14_2_00193CBB
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193CFE mov eax, dword ptr fs:[00000030h] 14_2_00193CFE
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193D41 mov eax, dword ptr fs:[00000030h] 14_2_00193D41
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193D9C mov eax, dword ptr fs:[00000030h] 14_2_00193D9C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193E62 mov eax, dword ptr fs:[00000030h] 14_2_00193E62
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193EA6 mov eax, dword ptr fs:[00000030h] 14_2_00193EA6
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193EEA mov eax, dword ptr fs:[00000030h] 14_2_00193EEA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00193F1B mov eax, dword ptr fs:[00000030h] 14_2_00193F1B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02972DFB mov ecx, dword ptr fs:[00000030h] 14_2_02972DFB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00198AA2 GetProcessHeap, 10_2_00198AA2
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00180F9D
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0015333F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_0015333F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00153ACD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00153ACD
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00153C63 SetUnhandledExceptionFilter, 10_2_00153C63
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_028F2375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_028F2375
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00180F9D
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0015333F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_0015333F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00153ACD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00153ACD
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_00153C63 SetUnhandledExceptionFilter, 14_2_00153C63
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02962375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_02962375
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02962508 SetUnhandledExceptionFilter, 14_2_02962508
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_02962572 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_02962572
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 14_2_0296C983 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_0296C983
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: bgsTrRPJh0.exe Binary or memory string: Shell_TrayWnd
Source: bgsTrRPJh0.exe, 00000000.00000000.1297922158.00000000001AE000.00000002.00000001.01000000.00000003.sdmp, bgsTrRPJh0.exe, 0000000A.00000000.1472708636.00000000001AE000.00000002.00000001.01000000.00000003.sdmp, bgsTrRPJh0.exe, 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatederherthgrgherhre.erhgergMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Source: bgsTrRPJh0.exe Binary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatederherthgrgherhre.erhgergMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00153CD0 cpuid 10_2_00153CD0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx, 10_2_001484F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 10_2_0019C199
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_0019C43B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: ResolveLocaleName,GetLocaleInfoEx, 10_2_00148460
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_0019C4A4
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_0019C53F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 10_2_0019C5CA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW, 10_2_001466E0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_0019C81D
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_0019C946
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_0019CA4C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_0019CB1B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_00192C34
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_00192D93
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 10_2_00192DC5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_00150FE9
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: LCIDToLocaleName,GetLocaleInfoEx, 10_2_0015126B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_001936F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_0291C244
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_0291C313
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 10_2_0291C015
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_0291C13E
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx, 14_2_001484F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 14_2_0019C199
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_0019C43B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: ResolveLocaleName,GetLocaleInfoEx, 14_2_00148460
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_0019C4A4
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_0019C53F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 14_2_0019C5CA
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW, 14_2_001466E0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_0019C81D
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 14_2_0019C946
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_0019CA4C
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 14_2_0019CB1B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_00192C34
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_00192D93
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: EnumSystemLocalesW, 14_2_00192DC5
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_00150FE9
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: LCIDToLocaleName,GetLocaleInfoEx, 14_2_0015126B
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_001936F0
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_0298C244
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 14_2_0298C313
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW, 14_2_0298C015
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 14_2_0298C13E
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: GetLocaleInfoEx, 14_2_02960B22
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_0019372F GetSystemTimeAsFileTime, 10_2_0019372F
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_02918138 GetTimeZoneInformation, 10_2_02918138
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Code function: 10_2_00148650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,GetSysColor,CreateSolidBrush,CreateSolidBrush,GetSysColor,CreateSolidBrush,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,#381,#381,#381,LoadCursorW,RegisterClassW,LoadLibraryW,GlobalAlloc,LoadLibraryW,GlobalAlloc,LoadLibraryW,ExitProcess, 10_2_00148650
Source: C:\Users\user\Desktop\bgsTrRPJh0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543072 Sample: bgsTrRPJh0.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Found ransom note / readme 2->45 47 Yara detected BlackBasta ransomware 2->47 49 5 other signatures 2->49 7 bgsTrRPJh0.exe 2 547 2->7         started        11 bgsTrRPJh0.exe 2 2->11         started        13 bgsTrRPJh0.exe 2 2->13         started        process3 file4 35 C:\Program Files\...\lgpllibs.dll, DOS 7->35 dropped 37 C:\Program Files\...\AccessibleMarshal.dll, COM 7->37 dropped 39 C:\Program Files\7-Zip\7-zip.dll, COM 7->39 dropped 41 43 other files (36 malicious) 7->41 dropped 53 Detected unpacking (creates a PE file in dynamic memory) 7->53 55 Potential evasive VBS script found (use of timer() function in loop) 7->55 57 Potential evasive VBS script found (sleep loop) 7->57 63 4 other signatures 7->63 15 cmd.exe 1 7->15         started        59 Found Tor onion address 11->59 61 Deletes shadow drive data (may be related to ransomware) 11->61 18 cmd.exe 11->18         started        20 cmd.exe 1 13->20         started        signatures5 process6 signatures7 65 May disable shadow drive data (uses vssadmin) 15->65 67 Deletes shadow drive data (may be related to ransomware) 15->67 22 vssadmin.exe 1 15->22         started        25 conhost.exe 15->25         started        27 vssadmin.exe 1 18->27         started        29 conhost.exe 18->29         started        31 vssadmin.exe 1 20->31         started        33 conhost.exe 20->33         started        process8 signatures9 51 Deletes shadow drive data (may be related to ransomware) 22->51
No contacted IP infos