Windows Analysis Report wE1inOhJA5.msi

AI detected suspicious sample

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\task.exe	Code function: 22_2_00091181 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	22_2_00091181
Source: C:\Users\user\task.exe	Code function: 22_2_00066AFD CryptUnprotectData,LoadLibraryA,GetProcAddress,	22_2_00066AFD
Source: C:\Users\user\task.exe	Code function: 24_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,	24_2_00404423

Source: task.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown

HTTPS traffic detected: 179.43.171.196:443 -> 192.168.2.9:49740 version: TLS 1.2

Source:	Binary string: your_package_name.pdbG source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernel32.pdb source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdbI source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: task.exe, 0000001A.00000002.1666589979.000000000061C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: expand.exe, 00000006.00000003.1433042313.000000000482F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000008.00000002.1571419937.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000008.00000000.1439408986.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000016.00000000.1579511832.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000016.00000002.4486274195.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000018.00000000.1650674244.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000019.00000002.1675825905.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001A.00000000.1651000866.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001B.00000000.1652070836.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000002.4486356902.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000000.1662738715.0000000000402000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\. source: task.exe, 0000001A.00000002.1666589979.0000000000608000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FB0E1 FindFirstFileExW,	8_2_6C8FB0E1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9B0E1 FindFirstFileExW,	22_2_6FE9B0E1
Source: C:\Users\user\task.exe	Code function: 22_2_0006BF45 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	22_2_0006BF45
Source: C:\Users\user\task.exe	Code function: 22_2_0006919E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_0006919E
Source: C:\Users\user\task.exe	Code function: 22_2_00068290 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	22_2_00068290
Source: C:\Users\user\task.exe	Code function: 22_2_000672F0 FindFirstFileW,FindNextFileW,	22_2_000672F0
Source: C:\Users\user\task.exe	Code function: 22_2_0007A467 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	22_2_0007A467
Source: C:\Users\user\task.exe	Code function: 22_2_0006B6E8 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: 22_2_000A97E9 FindFirstFileExA,	22_2_000A97E9
Source: C:\Users\user\task.exe	Code function: 22_2_0006B903 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	22_2_0006B903
Source: C:\Users\user\task.exe	Code function: 22_2_00068D46 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_00068D46
Source: C:\Users\user\task.exe	Code function: 22_2_00077DE7 FindFirstFileW,FindNextFileW,FindNextFileW,	22_2_00077DE7
Source: C:\Users\user\task.exe	Code function: 22_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	22_2_100010F1
Source: C:\Users\user\task.exe	Code function: 22_2_10006580 FindFirstFileExA,	22_2_10006580
Source: C:\Users\user\task.exe	Code function: 24_2_0040AE51 FindFirstFileW,FindNextFileW,	24_2_0040AE51

Source: C:\Users\user\task.exe

Code function: 22_2_0006771B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suricata IDS alerts for network traffic

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat

Source: chrome.exe

Memory has grown: Private usage: 18MB later: 25MB

Networking

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49713 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49715 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49714 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49716 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49718
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49733
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49739
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:443 -> 192.168.2.9:49740

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 179.43.171.196 5982

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna
Source: Malware configuration extractor	URLs: rm.anonbaba.net

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 179.43.171.196 ports 5982,2,443,5,8,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49713 -> 179.43.171.197:3393
Source: global traffic	TCP traffic: 192.168.2.9:49718 -> 179.43.171.196:5982

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 129.6.15.28 129.6.15.28
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PLI-ASCH PLI-ASCH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49717 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 179.43.171.196:5982 -> 192.168.2.9:49733
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 179.43.171.196:5982 -> 192.168.2.9:49739

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196

Source: C:\Users\user\task.exe

Code function: 22_2_00079664 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

22_2_00079664

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: task.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: rm.anonbaba.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: time-a-g.nist.gov
Source: global traffic	DNS traffic detected: DNS query: ts1.aco.net
Source: global traffic	DNS traffic detected: DNS query: ntp.nict.jp
Source: global traffic	DNS traffic detected: DNS query: ntp.time.in.ua
Source: global traffic	DNS traffic detected: DNS query: ntp1.net.berkeley.edu
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: svchost.exe, 00000020.00000003.1949101503.000001BE85629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0
Source: svchost.exe, 00000020.00000003.1949101503.000001BE85629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.01:
Source: task.exe, 00000016.00000003.1637474365.0000000003660000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647985043.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647419384.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1645514022.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648455258.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp$
Source: task.exe, 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, task.exe, 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, task.exe, 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, task.exe, 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1686427068.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1685975988.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp6
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1686427068.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1685975988.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpN
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1645514022.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648455258.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1639168513.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647020161.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphy
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1656628346.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: task.exe, 0000001B.00000002.1656628346.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: task.exe, 00000018.00000002.1683843310.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000001F.00000002.1764768294.000000000330C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.1764466512.0000000000C7C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.2169208927.000001BE856B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.2171115892.000001BE8295E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna
Source: svchost.exe, 0000001F.00000002.1764768294.000000000330C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnakernelbasentdllkernel32GetProcessMitigati
Source: svchost.exe, 00000020.00000002.2171115892.000001BE8295E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnas
Source: svchost.exe, 0000001F.00000002.1764466512.0000000000C7C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnax
Source: svchost.exe, 00000020.00000003.2169208927.000001BE856B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnaymb
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msedge.exe, 00000026.00000002.1935253683.00001C0003170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: svchost.exe, 0000001F.00000003.1695689800.000000000339F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 0000001F.00000003.1695689800.000000000339F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: task.exe, 00000018.00000002.1685293190.000000000212D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683033412.000000000212C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683064834.000000000212C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683263384.000000000212C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_i__
Source: task.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: msedge.exe, 00000026.00000002.1935253683.00001C0003170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: task.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 179.43.171.196:443 -> 192.168.2.9:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\task.exe

Code function: 22_2_00069E55 SetWindowsHookExA 0000000D,00069E3E,00000000

22_2_00069E55

Contains functionality for read data from the clipboard

Source: C:\Users\user\task.exe

Code function: 22_2_0006B2B5 OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\task.exe	Code function: 22_2_00074C52 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	22_2_00074C52
Source: C:\Users\user\task.exe	Code function: 24_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	24_2_0040987A
Source: C:\Users\user\task.exe	Code function: 24_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	24_2_004098E2

Contains functionality to read the clipboard data

Source: C:\Users\user\task.exe

Code function: 22_2_0006B2B5 OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\task.exe

Code function: 22_2_00069F7D GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

22_2_00069F7D

Creates a DirectInput object (often for capturing keystrokes)

Source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_655acf23-d

Installs a raw input device (often for capturing keystrokes)

Source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_d8b5a7e2-6

Yara detected Keylogger Generic

Source: Yara match	File source: 31.3.svchost.exe.5430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2d70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5430000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2d70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5430000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5650000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2148, type: MEMORYSTR

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\task.exe

Code function: 22_2_0007AC11 SystemParametersInfoW,

22_2_0007AC11

System Summary

Malicious sample detected (through community Yara rule)

Source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.1571921794.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Abnormal high CPU Usage

Source: C:\Users\user\task.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 75760000 page execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Memory allocated: 75760000 page execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Memory allocated: 75760000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DC7F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	8_2_6C8DC7F0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DC910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	8_2_6C8DC910
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7C7F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	22_2_6FE7C7F0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7C910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	22_2_6FE7C910
Source: C:\Users\user\task.exe	Code function: 22_2_00076447 GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	22_2_00076447
Source: C:\Users\user\task.exe	Code function: 22_2_00071673 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	22_2_00071673
Source: C:\Users\user\task.exe	Code function: 22_2_00079CD4 OpenProcess,NtSuspendProcess,CloseHandle,	22_2_00079CD4
Source: C:\Users\user\task.exe	Code function: 22_2_00079D00 OpenProcess,NtResumeProcess,CloseHandle,	22_2_00079D00
Source: C:\Users\user\task.exe	Code function: 24_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	24_2_0040DD85
Source: C:\Users\user\task.exe	Code function: 24_2_00401806 NtdllDefWindowProc_W,	24_2_00401806
Source: C:\Users\user\task.exe	Code function: 24_2_004018C0 NtdllDefWindowProc_W,	24_2_004018C0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\task.exe

Code function: 22_2_00074B45 ExitWindowsEx,LoadLibraryA,GetProcAddress,

22_2_00074B45

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\434f23.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{0028494D-9E28-4DD9-A336-17E8D634DF88}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI509A.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI509A.tmp

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_05095E98	8_3_05095E98
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_050929E0	8_3_050929E0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_050950C0	8_3_050950C0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_05099AE0	8_3_05099AE0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F6CC1	8_2_6C8F6CC1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FED3B	8_2_6C8FED3B
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FE890	8_2_6C8FE890
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DE970	8_2_6C8DE970
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DE480	8_2_6C8DE480
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E2570	8_2_6C8E2570
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E87C0	8_2_6C8E87C0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E6700	8_2_6C8E6700
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E8290	8_2_6C8E8290
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8EBDA0	8_2_6C8EBDA0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8D7F41	8_2_6C8D7F41
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8EB8F0	8_2_6C8EB8F0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E3960	8_2_6C8E3960
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C903AF1	8_2_6C903AF1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DFB30	8_2_6C8DFB30
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DD170	8_2_6C8DD170
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_02648273	8_2_02648273
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9ED3B	22_2_6FE9ED3B
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7E970	22_2_6FE7E970
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9E890	22_2_6FE9E890
Source: C:\Users\user\task.exe	Code function: 22_2_6FE887C0	22_2_6FE887C0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE86700	22_2_6FE86700
Source: C:\Users\user\task.exe	Code function: 22_2_6FE82570	22_2_6FE82570
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7E480	22_2_6FE7E480
Source: C:\Users\user\task.exe	Code function: 22_2_6FE88290	22_2_6FE88290
Source: C:\Users\user\task.exe	Code function: 22_2_6FE77F41	22_2_6FE77F41
Source: C:\Users\user\task.exe	Code function: 22_2_6FE8BDA0	22_2_6FE8BDA0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7FB30	22_2_6FE7FB30
Source: C:\Users\user\task.exe	Code function: 22_2_6FEA3AF1	22_2_6FEA3AF1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE83960	22_2_6FE83960
Source: C:\Users\user\task.exe	Code function: 22_2_6FE8B8F0	22_2_6FE8B8F0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7D170	22_2_6FE7D170
Source: C:\Users\user\task.exe	Code function: 22_2_00085219	22_2_00085219
Source: C:\Users\user\task.exe	Code function: 22_2_0009128C	22_2_0009128C
Source: C:\Users\user\task.exe	Code function: 22_2_000942B0	22_2_000942B0
Source: C:\Users\user\task.exe	Code function: 22_2_000722DB	22_2_000722DB
Source: C:\Users\user\task.exe	Code function: 22_2_00097307	22_2_00097307
Source: C:\Users\user\task.exe	Code function: 22_2_0007D367	22_2_0007D367
Source: C:\Users\user\task.exe	Code function: 22_2_0009D4CC	22_2_0009D4CC
Source: C:\Users\user\task.exe	Code function: 22_2_000965BE	22_2_000965BE
Source: C:\Users\user\task.exe	Code function: 22_2_000A1670	22_2_000A1670
Source: C:\Users\user\task.exe	Code function: 22_2_000AB680	22_2_000AB680
Source: C:\Users\user\task.exe	Code function: 22_2_0009D6FB	22_2_0009D6FB
Source: C:\Users\user\task.exe	Code function: 22_2_0009773C	22_2_0009773C
Source: C:\Users\user\task.exe	Code function: 22_2_000938AE	22_2_000938AE
Source: C:\Users\user\task.exe	Code function: 22_2_000858B7	22_2_000858B7
Source: C:\Users\user\task.exe	Code function: 22_2_0009D92A	22_2_0009D92A
Source: C:\Users\user\task.exe	Code function: 22_2_000859FA	22_2_000859FA
Source: C:\Users\user\task.exe	Code function: 22_2_00096ABA	22_2_00096ABA
Source: C:\Users\user\task.exe	Code function: 22_2_000ABD29	22_2_000ABD29
Source: C:\Users\user\task.exe	Code function: 22_2_00084D22	22_2_00084D22
Source: C:\Users\user\task.exe	Code function: 22_2_0007BDB0	22_2_0007BDB0
Source: C:\Users\user\task.exe	Code function: 22_2_00096ED2	22_2_00096ED2
Source: C:\Users\user\task.exe	Code function: 22_2_000AFF04	22_2_000AFF04
Source: C:\Users\user\task.exe	Code function: 22_2_000B3FD0	22_2_000B3FD0
Source: C:\Users\user\task.exe	Code function: 22_2_10017194	22_2_10017194
Source: C:\Users\user\task.exe	Code function: 22_2_1000B5C1	22_2_1000B5C1
Source: C:\Users\user\task.exe	Code function: 22_2_02575322	22_2_02575322
Source: C:\Users\user\task.exe	Code function: 22_2_0258D395	22_2_0258D395
Source: C:\Users\user\task.exe	Code function: 22_2_02586029	22_2_02586029
Source: C:\Users\user\task.exe	Code function: 22_2_025910DB	22_2_025910DB
Source: C:\Users\user\task.exe	Code function: 22_2_0259B0EB	22_2_0259B0EB
Source: C:\Users\user\task.exe	Code function: 22_2_0258D166	22_2_0258D166
Source: C:\Users\user\task.exe	Code function: 22_2_0257478D	22_2_0257478D
Source: C:\Users\user\task.exe	Code function: 22_2_02575465	22_2_02575465
Source: C:\Users\user\task.exe	Code function: 22_2_0256B81B	22_2_0256B81B
Source: C:\Users\user\task.exe	Code function: 22_2_0258CF37	22_2_0258CF37
Source: C:\Users\user\task.exe	Code function: 22_2_02580CF7	22_2_02580CF7
Source: C:\Users\user\task.exe	Code function: 22_2_02574C84	22_2_02574C84
Source: C:\Users\user\task.exe	Code function: 22_2_02583D1B	22_2_02583D1B
Source: C:\Users\user\task.exe	Code function: 22_2_0256CDD2	22_2_0256CDD2
Source: C:\Users\user\task.exe	Code function: 24_2_0044B040	24_2_0044B040
Source: C:\Users\user\task.exe	Code function: 24_2_0043610D	24_2_0043610D
Source: C:\Users\user\task.exe	Code function: 24_2_00447310	24_2_00447310
Source: C:\Users\user\task.exe	Code function: 24_2_0044A490	24_2_0044A490
Source: C:\Users\user\task.exe	Code function: 24_2_0040755A	24_2_0040755A
Source: C:\Users\user\task.exe	Code function: 24_2_0043C560	24_2_0043C560
Source: C:\Users\user\task.exe	Code function: 24_2_0044B610	24_2_0044B610
Source: C:\Users\user\task.exe	Code function: 24_2_0044D6C0	24_2_0044D6C0
Source: C:\Users\user\task.exe	Code function: 24_2_004476F0	24_2_004476F0
Source: C:\Users\user\task.exe	Code function: 24_2_0044B870	24_2_0044B870
Source: C:\Users\user\task.exe	Code function: 24_2_0044081D	24_2_0044081D
Source: C:\Users\user\task.exe	Code function: 24_2_00414957	24_2_00414957
Source: C:\Users\user\task.exe	Code function: 24_2_004079EE	24_2_004079EE
Source: C:\Users\user\task.exe	Code function: 24_2_00407AEB	24_2_00407AEB
Source: C:\Users\user\task.exe	Code function: 24_2_0044AA80	24_2_0044AA80
Source: C:\Users\user\task.exe	Code function: 24_2_00412AA9	24_2_00412AA9
Source: C:\Users\user\task.exe	Code function: 24_2_00404B74	24_2_00404B74
Source: C:\Users\user\task.exe	Code function: 24_2_00404B03	24_2_00404B03
Source: C:\Users\user\task.exe	Code function: 24_2_0044BBD8	24_2_0044BBD8
Source: C:\Users\user\task.exe	Code function: 24_2_00404BE5	24_2_00404BE5
Source: C:\Users\user\task.exe	Code function: 24_2_00404C76	24_2_00404C76
Source: C:\Users\user\task.exe	Code function: 24_2_00415CFE	24_2_00415CFE
Source: C:\Users\user\task.exe	Code function: 24_2_00416D72	24_2_00416D72
Source: C:\Users\user\task.exe	Code function: 24_2_00446D30	24_2_00446D30
Source: C:\Users\user\task.exe	Code function: 24_2_00446D8B	24_2_00446D8B
Source: C:\Users\user\task.exe	Code function: 24_2_00406E8F	24_2_00406E8F

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\67a1ae3c4a36f34f89fd14e4fff5e74c.tmp 796EA1D27ED5825E300C3C9505A87B2445886623235F3E41258DE90BA1604CD5

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: String function: 6C8F12B0 appears 36 times
Source: C:\Users\user\task.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\task.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\task.exe	Code function: String function: 6FE912B0 appears 36 times
Source: C:\Users\user\task.exe	Code function: String function: 000620BD appears 46 times
Source: C:\Users\user\task.exe	Code function: String function: 00092100 appears 42 times
Source: C:\Users\user\task.exe	Code function: String function: 02581B6B appears 41 times
Source: C:\Users\user\task.exe	Code function: String function: 0258224B appears 47 times
Source: C:\Users\user\task.exe	Code function: String function: 00061E82 appears 33 times
Source: C:\Users\user\task.exe	Code function: String function: 000927E0 appears 54 times
Source: C:\Users\user\task.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\task.exe	Code function: String function: 00416760 appears 69 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 976

Yara signature match

Source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.1571921794.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647531865.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647738667.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647629402.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647833006.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647531865.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647738667.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647629402.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647833006.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winMSI@70/148@12/12

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8DCAF0 GetModuleHandleW,FormatMessageW,GetLastError,

8_2_6C8DCAF0

Source: C:\Users\user\task.exe

Code function: 22_2_00075C8A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

22_2_00075C8A

Source: C:\Users\user\task.exe

Code function: 24_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

24_2_00418758

Source: C:\Users\user\task.exe

Code function: 22_2_0006E45A CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

22_2_0006E45A

Source: C:\Users\user\task.exe

Code function: 22_2_00079789 FindResourceA,LoadResource,LockResource,SizeofResource,

22_2_00079789

Source: C:\Users\user\task.exe

Code function: 22_2_00078D0C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

File created: C:\Users\user\apps.bat

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\zRRdyPN41SkDaS8h3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7880
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Users\user\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-a34ef0fe-40fa-1ddbcb-aeea2ee60c14}

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF218C22ED6F4C8576.TMP

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "

Source: C:\Users\user\task.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\msiwrapper.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp, task.exe, 0000001A.00000002.1666220432.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: task.exe, 00000018.00000002.1685578220.0000000002736000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1879011150.000001BE85C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1878511893.000001BE85617000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1903680405.000001BE85617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: wE1inOhJA5.msi

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\wE1inOhJA5.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1280F90D0867DD413F7EEEF5D19EFB6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 976
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chrFE01.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/6c77fc35"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2376,i,16818295695986717264,7118115118329945779,262144 /prefetch:8
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6BC.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/32916e99"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2100,i,4541570122865520646,14461282582081406380,262144 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1280F90D0867DD413F7EEEF5D19EFB6	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chrFE01.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/6c77fc35"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6BC.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/32916e99"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2376,i,16818295695986717264,7118115118329945779,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2100,i,4541570122865520646,14461282582081406380,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\task.exe	Section loaded: wldp.dll
Source: C:\Users\user\task.exe	Section loaded: pstorec.dll
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\task.exe	Section loaded: wldp.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\task.exe	Section loaded: g2m.dll
Source: C:\Users\user\task.exe	Section loaded: winmm.dll
Source: C:\Users\user\task.exe	Section loaded: urlmon.dll
Source: C:\Users\user\task.exe	Section loaded: iertutil.dll
Source: C:\Users\user\task.exe	Section loaded: srvcli.dll
Source: C:\Users\user\task.exe	Section loaded: netutils.dll
Source: C:\Users\user\task.exe	Section loaded: wininet.dll
Source: C:\Users\user\task.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\task.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\task.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\task.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\task.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\msiwrapper.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (changes PE section rights)

Source: C:\Users\user\task.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: wE1inOhJA5.msi

Static file information: File size 1753088 > 1048576

Source:	Binary string: your_package_name.pdbG source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernel32.pdb source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdbI source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: task.exe, 0000001A.00000002.1666589979.000000000061C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: expand.exe, 00000006.00000003.1433042313.000000000482F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000008.00000002.1571419937.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000008.00000000.1439408986.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000016.00000000.1579511832.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000016.00000002.4486274195.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000018.00000000.1650674244.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000019.00000002.1675825905.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001A.00000000.1651000866.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001B.00000000.1652070836.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000002.4486356902.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000000.1662738715.0000000000402000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\. source: task.exe, 0000001A.00000002.1666589979.0000000000608000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\task.exe	Unpacked PE file: 24.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\task.exe	Unpacked PE file: 26.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\task.exe	Unpacked PE file: 27.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

.NET source code contains potential unpacker

Source: 32.3.svchost.exe.1be856bc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 32.3.svchost.exe.1be856bc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 32.3.svchost.exe.1be856bc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 32.3.svchost.exe.1be856bc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8DB840 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8C8720 push eax; mov dword ptr [esp], 00000007h	8_2_6C8C8721
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C904201 push ecx; ret	8_2_6C904214
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8B1830 push eax; mov dword ptr [esp], 00000000h	8_2_6C8B1831
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8CB0C0 push eax; mov dword ptr [esp], 00000000h	8_2_6C8CB0C1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE68720 push eax; mov dword ptr [esp], 00000007h	22_2_6FE68721
Source: C:\Users\user\task.exe	Code function: 22_2_6FEA4201 push ecx; ret	22_2_6FEA4214
Source: C:\Users\user\task.exe	Code function: 22_2_6FE51830 push eax; mov dword ptr [esp], 00000000h	22_2_6FE51831
Source: C:\Users\user\task.exe	Code function: 22_2_6FE6B0C0 push eax; mov dword ptr [esp], 00000000h	22_2_6FE6B0C1
Source: C:\Users\user\task.exe	Code function: 22_2_000B3076 push ecx; ret	22_2_000B3089
Source: C:\Users\user\task.exe	Code function: 22_2_00092826 push ecx; ret	22_2_00092839
Source: C:\Users\user\task.exe	Code function: 22_2_000B3998 push eax; ret	22_2_000B39B6
Source: C:\Users\user\task.exe	Code function: 22_2_10002806 push ecx; ret	22_2_10002819
Source: C:\Users\user\task.exe	Code function: 22_2_02582291 push ecx; ret	22_2_025822A4
Source: C:\Users\user\task.exe	Code function: 22_2_0255811E push ebx; ret	22_2_0255811F
Source: C:\Users\user\task.exe	Code function: 22_2_0255C78E pushfd ; retf	22_2_0255C78F
Source: C:\Users\user\task.exe	Code function: 22_2_025A3403 push eax; ret	22_2_025A3421
Source: C:\Users\user\task.exe	Code function: 22_2_02572496 push esi; ret	22_2_02572498
Source: C:\Users\user\task.exe	Code function: 22_2_025A2AE1 push ecx; ret	22_2_025A2AF4
Source: C:\Users\user\task.exe	Code function: 22_2_025C5C6B push edx; ret	22_2_025C5CDB
Source: C:\Users\user\task.exe	Code function: 24_2_0044693D push ecx; ret	24_2_0044694D
Source: C:\Users\user\task.exe	Code function: 24_2_0044DB70 push eax; ret	24_2_0044DB84
Source: C:\Users\user\task.exe	Code function: 24_2_0044DB70 push eax; ret	24_2_0044DBAC
Source: C:\Users\user\task.exe	Code function: 24_2_00451D54 push eax; ret	24_2_00451D61

Contains functionality to download and launch executables

Source: C:\Users\user\task.exe

Code function: 22_2_00066F61 ShellExecuteW,URLDownloadToFileW,

22_2_00066F61

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI509A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\67a1ae3c4a36f34f89fd14e4fff5e74c.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\g2m.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\87377860be1e204a95d069480a67ac12.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\your_package_name.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\75aedfde5bde214c9f1dda9d9e9a381f.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI509A.tmp

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll			Jump to dropped file

Source: C:\Users\user\task.exe

Code function: 22_2_00078D0C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run apps			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run apps			Jump to behavior

Source: C:\Users\user\task.exe

Code function: 22_2_0007AD7F LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

22_2_0007AD7F

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\task.exe

Code function: 22_2_0006E304 Sleep,ExitProcess,

22_2_0006E304

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\task.exe	API/Special instruction interceptor: Address: 7FF90818D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 56FB83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMECFF EXPLORER.EXE:
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648863747.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4497721588.0000000004179000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648863747.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4497721588.0000000004179000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\task.exe

Code function: 24_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

Contains functionality to enumerate running services

Source: C:\Users\user\task.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

22_2_00078A3A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\task.exe	Window / User API: threadDelayed 4633			Jump to behavior
Source: C:\Users\user\task.exe	Window / User API: threadDelayed 5346			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI509A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\87377860be1e204a95d069480a67ac12.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\your_package_name.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\75aedfde5bde214c9f1dda9d9e9a381f.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\task.exe TID: 1080	Thread sleep count: 4633 > 30	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep time: -13899000s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep count: 5346 > 30	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep time: -16038000s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 5940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 4712	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FB0E1 FindFirstFileExW,	8_2_6C8FB0E1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9B0E1 FindFirstFileExW,	22_2_6FE9B0E1
Source: C:\Users\user\task.exe	Code function: 22_2_0006BF45 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	22_2_0006BF45
Source: C:\Users\user\task.exe	Code function: 22_2_0006919E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_0006919E
Source: C:\Users\user\task.exe	Code function: 22_2_00068290 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	22_2_00068290
Source: C:\Users\user\task.exe	Code function: 22_2_000672F0 FindFirstFileW,FindNextFileW,	22_2_000672F0
Source: C:\Users\user\task.exe	Code function: 22_2_0007A467 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	22_2_0007A467
Source: C:\Users\user\task.exe	Code function: 22_2_0006B6E8 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: 22_2_000A97E9 FindFirstFileExA,	22_2_000A97E9
Source: C:\Users\user\task.exe	Code function: 22_2_0006B903 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	22_2_0006B903
Source: C:\Users\user\task.exe	Code function: 22_2_00068D46 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_00068D46
Source: C:\Users\user\task.exe	Code function: 22_2_00077DE7 FindFirstFileW,FindNextFileW,FindNextFileW,	22_2_00077DE7
Source: C:\Users\user\task.exe	Code function: 22_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	22_2_100010F1
Source: C:\Users\user\task.exe	Code function: 22_2_10006580 FindFirstFileExA,	22_2_10006580
Source: C:\Users\user\task.exe	Code function: 24_2_0040AE51 FindFirstFileW,FindNextFileW,	24_2_0040AE51

Source: C:\Users\user\task.exe

Code function: 22_2_0006771B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8C93B0 GetSystemInfo,

8_2_6C8C93B0

Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat

Source: svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: task.exe, 00000016.00000003.1648607977.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646821801.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1639168513.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1643644507.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.00000000008A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.1764735514.000000000325C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRSVP UDPv6 Service Provider
Source: svchost.exe, 0000001F.00000002.1764690354.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: task.exe, 0000001E.00000002.4488282758.0000000000527000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8D8D40 LdrInitializeThunk,WSAStartup,WSACleanup,

8_2_6C8D8D40

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F84FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_6C8F84FB

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\task.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Contains functionality to read the PEB

Source: C:\Users\user\task.exe	Code function: 22_2_0009FDBE mov eax, dword ptr fs:[00000030h]	22_2_0009FDBE
Source: C:\Users\user\task.exe	Code function: 22_2_10004AB4 mov eax, dword ptr fs:[00000030h]	22_2_10004AB4
Source: C:\Users\user\task.exe	Code function: 22_2_0258F829 mov eax, dword ptr fs:[00000030h]	22_2_0258F829

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C904D50 GetProcessHeap,HeapAlloc,

8_2_6C904D50

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F84FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C8F84FB
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F1134 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C8F1134
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F12F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C8F12F8
Source: C:\Users\user\task.exe	Code function: 22_2_6FE984FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6FE984FB
Source: C:\Users\user\task.exe	Code function: 22_2_6FE912F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6FE912F8
Source: C:\Users\user\task.exe	Code function: 22_2_6FE91134 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6FE91134
Source: C:\Users\user\task.exe	Code function: 22_2_00092484 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00092484
Source: C:\Users\user\task.exe	Code function: 22_2_000994A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000994A3
Source: C:\Users\user\task.exe	Code function: 22_2_0009297F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0009297F
Source: C:\Users\user\task.exe	Code function: 22_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_100060E2
Source: C:\Users\user\task.exe	Code function: 22_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_10002B1C
Source: C:\Users\user\task.exe	Code function: 22_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_10002639

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 179.43.171.196 5982

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\wmplayer.exe

Memory allocated: C:\Windows\System32\dllhost.exe base: 20A308F0000 protect: page read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\task.exe

Code function: 22_2_00076447 GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

22_2_00076447

Maps a DLL or memory area into another process

Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 20A308F0000
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF733CD14E0

Contains functionality to simulate mouse events

Source: C:\Users\user\task.exe

Code function: 22_2_00077936 mouse_event,

22_2_00077936

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Source: task.exe, 00000016.00000002.4497115014.0000000003660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: task.exe, 00000016.00000002.4497115014.0000000003660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F141F cpuid

8_2_6C8F141F

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\task.exe	Code function: GetLocaleInfoA,	22_2_0006E42E
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	22_2_000AF090
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000A50DE
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AF197
Source: C:\Users\user\task.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	22_2_000AF264
Source: C:\Users\user\task.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	22_2_000AE92C
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AEAFB
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEBA4
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000A4BD6
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEBEF
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEC8A
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	22_2_000AED17
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AEF67

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\data.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\task.exe	Queries volume information: C:\Users\user\data.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\task.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\task.exe	Queries volume information: C:\Users\user\data.bin VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F0D83 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_6C8F0D83

Source: C:\Users\user\task.exe

Code function: 22_2_000798EE GetComputerNameExW,GetUserNameW,

22_2_000798EE

Source: C:\Users\user\task.exe

Code function: 22_2_000A5981 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

22_2_000A5981

Source: C:\Users\user\task.exe

Code function: 24_2_0041739B GetVersionExW,

24_2_0041739B

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0000001F.00000003.1672134784.0000000003480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1674900501.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1662192131.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1765068419.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Source: C:\Users\user\task.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

22_2_0006B5CA

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\task.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: \key3.db		22_2_0006B6E8

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\safebrowsing
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ca4gppea.default
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2\doomed
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\safebrowsing\google4
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2\entries
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\thumbnails
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs\browser
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs\browser\newtab
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\startupCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 716, type: MEMORYSTR

Searches for user specific document files

Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 2968, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\task.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM			Jump to behavior
Source: C:\Users\user\task.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM

Source: Yara match	File source: 0000001F.00000003.1672134784.0000000003480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1674900501.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1662192131.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1765068419.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to launch a control a shell (cmd.exe)

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Source: C:\Users\user\task.exe

Code function: cmd.exe

22_2_000657D6

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DF8E0 bind,listen,WSAGetLastError,closesocket,		8_2_6C8DF8E0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7F8E0 bind,listen,WSAGetLastError,closesocket,		22_2_6FE7F8E0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
179.43.171.196	unknown	Panama	51852	PLI-ASCH	true
62.149.0.30	ntp.time.in.ua	Ukraine	15497	COLOCALLInternetDataCenterColoCALLUA	false
169.229.128.134	ntp1.net.berkeley.edu	United States	25	UCBUS	false
129.6.15.28	time-a-g.nist.gov	United States	49	US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS	false
193.171.23.163	ts1.aco.net	Austria	1853	ACONETACOnetBackboneAT	false
179.43.171.197	rm.anonbaba.net	Panama	51852	PLI-ASCH	true
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
61.205.120.130	ntp.nict.jp	Japan	17511	OPTAGEOPTAGEIncJP	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
ntp.nict.jp	61.205.120.130	true
chrome.cloudflare-dns.com	172.64.41.3	true
rm.anonbaba.net	179.43.171.197	true
geoplugin.net	178.237.33.50	true
ntp1.net.berkeley.edu	169.229.128.134	true
ntp.time.in.ua	62.149.0.30	true
time-a-g.nist.gov	129.6.15.28	true
ts1.aco.net	193.171.23.163	true
time.windows.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna	true	Avira URL Cloud: safe	unknown
rm.anonbaba.net	true	Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	false		high

AV Detection

Antivirus detection for URL or domain

Source: rm.anonbaba.net

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\bce5c9c7fb0eb5498f5eb0ff4df1bd89.tmp	Avira: detection malicious, Label: BAT/Runner.wekvp
Source: C:\Users\user\apps.bat	Avira: detection malicious, Label: BAT/Runner.wekvp

Found malware configuration

Source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["rm.anonbaba.net:3393:1"], "Assigned name": "zp", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RNN6CM", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Source: 22.3.task.exe.3b9dcbc.66.raw.unpack	Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\75aedfde5bde214c9f1dda9d9e9a381f.tmp	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\87377860be1e204a95d069480a67ac12.tmp	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\g2m.dll (copy)	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\your_package_name.dll (copy)	ReversingLabs: Detection: 66%
Source: C:\Users\user\g2m.dll	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: wE1inOhJA5.msi

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\task.exe	Code function: 22_2_00091181 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	22_2_00091181
Source: C:\Users\user\task.exe	Code function: 22_2_00066AFD CryptUnprotectData,LoadLibraryA,GetProcAddress,	22_2_00066AFD
Source: C:\Users\user\task.exe	Code function: 24_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,	24_2_00404423

Source: task.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: unknown

HTTPS traffic detected: 179.43.171.196:443 -> 192.168.2.9:49740 version: TLS 1.2

Source:	Binary string: your_package_name.pdbG source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernel32.pdb source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdbI source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: task.exe, 0000001A.00000002.1666589979.000000000061C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: expand.exe, 00000006.00000003.1433042313.000000000482F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000008.00000002.1571419937.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000008.00000000.1439408986.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000016.00000000.1579511832.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000016.00000002.4486274195.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000018.00000000.1650674244.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000019.00000002.1675825905.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001A.00000000.1651000866.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001B.00000000.1652070836.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000002.4486356902.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000000.1662738715.0000000000402000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\. source: task.exe, 0000001A.00000002.1666589979.0000000000608000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FB0E1 FindFirstFileExW,	8_2_6C8FB0E1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9B0E1 FindFirstFileExW,	22_2_6FE9B0E1
Source: C:\Users\user\task.exe	Code function: 22_2_0006BF45 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	22_2_0006BF45
Source: C:\Users\user\task.exe	Code function: 22_2_0006919E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_0006919E
Source: C:\Users\user\task.exe	Code function: 22_2_00068290 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	22_2_00068290
Source: C:\Users\user\task.exe	Code function: 22_2_000672F0 FindFirstFileW,FindNextFileW,	22_2_000672F0
Source: C:\Users\user\task.exe	Code function: 22_2_0007A467 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	22_2_0007A467
Source: C:\Users\user\task.exe	Code function: 22_2_0006B6E8 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: 22_2_000A97E9 FindFirstFileExA,	22_2_000A97E9
Source: C:\Users\user\task.exe	Code function: 22_2_0006B903 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	22_2_0006B903
Source: C:\Users\user\task.exe	Code function: 22_2_00068D46 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_00068D46
Source: C:\Users\user\task.exe	Code function: 22_2_00077DE7 FindFirstFileW,FindNextFileW,FindNextFileW,	22_2_00077DE7
Source: C:\Users\user\task.exe	Code function: 22_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	22_2_100010F1
Source: C:\Users\user\task.exe	Code function: 22_2_10006580 FindFirstFileExA,	22_2_10006580
Source: C:\Users\user\task.exe	Code function: 24_2_0040AE51 FindFirstFileW,FindNextFileW,	24_2_0040AE51

Source: C:\Users\user\task.exe

Code function: 22_2_0006771B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Suricata IDS alerts for network traffic

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat

Source: chrome.exe

Memory has grown: Private usage: 18MB later: 25MB

Networking

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49713 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49715 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49714 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49716 -> 179.43.171.197:3393
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49718
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49733
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:5982 -> 192.168.2.9:49739
Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 179.43.171.196:443 -> 192.168.2.9:49740

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 179.43.171.196 5982

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna
Source: Malware configuration extractor	URLs: rm.anonbaba.net

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 179.43.171.196 ports 5982,2,443,5,8,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.9:49713 -> 179.43.171.197:3393
Source: global traffic	TCP traffic: 192.168.2.9:49718 -> 179.43.171.196:5982

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 129.6.15.28 129.6.15.28
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PLI-ASCH PLI-ASCH

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49717 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 179.43.171.196:5982 -> 192.168.2.9:49733
Source: Network traffic	Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 179.43.171.196:5982 -> 192.168.2.9:49739

Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196
Source: unknown	TCP traffic detected without corresponding DNS query: 179.43.171.196

Source: C:\Users\user\task.exe

Code function: 22_2_00079664 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

22_2_00079664

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: task.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: rm.anonbaba.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: time-a-g.nist.gov
Source: global traffic	DNS traffic detected: DNS query: ts1.aco.net
Source: global traffic	DNS traffic detected: DNS query: ntp.nict.jp
Source: global traffic	DNS traffic detected: DNS query: ntp.time.in.ua
Source: global traffic	DNS traffic detected: DNS query: ntp1.net.berkeley.edu
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: svchost.exe, 00000020.00000003.1949101503.000001BE85629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0
Source: svchost.exe, 00000020.00000003.1949101503.000001BE85629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.01:
Source: task.exe, 00000016.00000003.1637474365.0000000003660000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647985043.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647419384.0000000000875000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1645514022.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648455258.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp$
Source: task.exe, 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, task.exe, 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, task.exe, 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, task.exe, 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1686427068.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1685975988.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp6
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1686427068.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652161168.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651088954.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1685975988.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpN
Source: task.exe, 00000016.00000003.1640544536.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650331166.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647273159.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648907336.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648293959.0000000000871000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641987804.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640814728.000000000086C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646658676.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1640250134.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1645514022.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648455258.0000000000875000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1639168513.0000000000879000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647020161.0000000000869000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphy
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1656628346.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: task.exe, 0000001B.00000002.1656628346.00000000008ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: task.exe, 00000018.00000002.1683843310.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 0000001F.00000002.1764768294.000000000330C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.1764466512.0000000000C7C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.2169208927.000001BE856B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.2171115892.000001BE8295E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txna
Source: svchost.exe, 0000001F.00000002.1764768294.000000000330C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnakernelbasentdllkernel32GetProcessMitigati
Source: svchost.exe, 00000020.00000002.2171115892.000001BE8295E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnas
Source: svchost.exe, 0000001F.00000002.1764466512.0000000000C7C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnax
Source: svchost.exe, 00000020.00000003.2169208927.000001BE856B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://179.43.171.196:5982/c329ffe03228fab8/o0tr85tn.5txnaymb
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msedge.exe, 00000026.00000002.1935253683.00001C0003170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod
Source: svchost.exe, 0000001F.00000003.1695689800.000000000339F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: svchost.exe, 0000001F.00000003.1695689800.000000000339F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683160704.0000000000AFD000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: task.exe, 00000018.00000003.1666212847.0000000002134000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1665557177.0000000002131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: task.exe, 00000018.00000002.1685293190.000000000212D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683033412.000000000212C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683064834.000000000212C000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000018.00000003.1683263384.000000000212C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_i__
Source: task.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: msedge.exe, 00000026.00000002.1935253683.00001C0003170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: task.exe, 00000016.00000002.4497866772.00000000041C0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 0000001B.00000002.1655472642.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: task.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: svchost.exe, 00000020.00000003.1876727727.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1877374560.000001BE8562A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 179.43.171.196:443 -> 192.168.2.9:49740 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\task.exe

Code function: 22_2_00069E55 SetWindowsHookExA 0000000D,00069E3E,00000000

22_2_00069E55

Contains functionality for read data from the clipboard

Source: C:\Users\user\task.exe

Code function: 22_2_0006B2B5 OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\task.exe	Code function: 22_2_00074C52 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	22_2_00074C52
Source: C:\Users\user\task.exe	Code function: 24_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	24_2_0040987A
Source: C:\Users\user\task.exe	Code function: 24_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	24_2_004098E2

Contains functionality to read the clipboard data

Source: C:\Users\user\task.exe

Code function: 22_2_0006B2B5 OpenClipboard,GetClipboardData,CloseClipboard,

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\task.exe

Code function: 22_2_00069F7D GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

22_2_00069F7D

Creates a DirectInput object (often for capturing keystrokes)

Source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_655acf23-d

Installs a raw input device (often for capturing keystrokes)

Source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_d8b5a7e2-6

Yara detected Keylogger Generic

Source: Yara match	File source: 31.3.svchost.exe.5430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2d70000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5430000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.task.exe.2d70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5430000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.svchost.exe.5650000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2148, type: MEMORYSTR

E-Banking Fraud

Contains functionalty to change the wallpaper

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Source: C:\Users\user\task.exe

Code function: 22_2_0007AC11 SystemParametersInfoW,

22_2_0007AC11

System Summary

Malicious sample detected (through community Yara rule)

Source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.1571921794.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Abnormal high CPU Usage

Source: C:\Users\user\task.exe

Process Stats: CPU usage > 49%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 75760000 page execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Memory allocated: 75760000 page execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Memory allocated: 75760000 page execute and read and write

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DC7F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	8_2_6C8DC7F0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DC910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	8_2_6C8DC910
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7C7F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	22_2_6FE7C7F0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7C910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,	22_2_6FE7C910
Source: C:\Users\user\task.exe	Code function: 22_2_00076447 GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	22_2_00076447
Source: C:\Users\user\task.exe	Code function: 22_2_00071673 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	22_2_00071673
Source: C:\Users\user\task.exe	Code function: 22_2_00079CD4 OpenProcess,NtSuspendProcess,CloseHandle,	22_2_00079CD4
Source: C:\Users\user\task.exe	Code function: 22_2_00079D00 OpenProcess,NtResumeProcess,CloseHandle,	22_2_00079D00
Source: C:\Users\user\task.exe	Code function: 24_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	24_2_0040DD85
Source: C:\Users\user\task.exe	Code function: 24_2_00401806 NtdllDefWindowProc_W,	24_2_00401806
Source: C:\Users\user\task.exe	Code function: 24_2_004018C0 NtdllDefWindowProc_W,	24_2_004018C0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\task.exe

Code function: 22_2_00074B45 ExitWindowsEx,LoadLibraryA,GetProcAddress,

22_2_00074B45

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\434f23.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{0028494D-9E28-4DD9-A336-17E8D634DF88}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI509A.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI509A.tmp

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_05095E98	8_3_05095E98
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_050929E0	8_3_050929E0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_050950C0	8_3_050950C0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_3_05099AE0	8_3_05099AE0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F6CC1	8_2_6C8F6CC1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FED3B	8_2_6C8FED3B
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FE890	8_2_6C8FE890
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DE970	8_2_6C8DE970
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DE480	8_2_6C8DE480
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E2570	8_2_6C8E2570
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E87C0	8_2_6C8E87C0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E6700	8_2_6C8E6700
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E8290	8_2_6C8E8290
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8EBDA0	8_2_6C8EBDA0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8D7F41	8_2_6C8D7F41
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8EB8F0	8_2_6C8EB8F0
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8E3960	8_2_6C8E3960
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C903AF1	8_2_6C903AF1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DFB30	8_2_6C8DFB30
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8DD170	8_2_6C8DD170
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_02648273	8_2_02648273
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9ED3B	22_2_6FE9ED3B
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7E970	22_2_6FE7E970
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9E890	22_2_6FE9E890
Source: C:\Users\user\task.exe	Code function: 22_2_6FE887C0	22_2_6FE887C0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE86700	22_2_6FE86700
Source: C:\Users\user\task.exe	Code function: 22_2_6FE82570	22_2_6FE82570
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7E480	22_2_6FE7E480
Source: C:\Users\user\task.exe	Code function: 22_2_6FE88290	22_2_6FE88290
Source: C:\Users\user\task.exe	Code function: 22_2_6FE77F41	22_2_6FE77F41
Source: C:\Users\user\task.exe	Code function: 22_2_6FE8BDA0	22_2_6FE8BDA0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7FB30	22_2_6FE7FB30
Source: C:\Users\user\task.exe	Code function: 22_2_6FEA3AF1	22_2_6FEA3AF1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE83960	22_2_6FE83960
Source: C:\Users\user\task.exe	Code function: 22_2_6FE8B8F0	22_2_6FE8B8F0
Source: C:\Users\user\task.exe	Code function: 22_2_6FE7D170	22_2_6FE7D170
Source: C:\Users\user\task.exe	Code function: 22_2_00085219	22_2_00085219
Source: C:\Users\user\task.exe	Code function: 22_2_0009128C	22_2_0009128C
Source: C:\Users\user\task.exe	Code function: 22_2_000942B0	22_2_000942B0
Source: C:\Users\user\task.exe	Code function: 22_2_000722DB	22_2_000722DB
Source: C:\Users\user\task.exe	Code function: 22_2_00097307	22_2_00097307
Source: C:\Users\user\task.exe	Code function: 22_2_0007D367	22_2_0007D367
Source: C:\Users\user\task.exe	Code function: 22_2_0009D4CC	22_2_0009D4CC
Source: C:\Users\user\task.exe	Code function: 22_2_000965BE	22_2_000965BE
Source: C:\Users\user\task.exe	Code function: 22_2_000A1670	22_2_000A1670
Source: C:\Users\user\task.exe	Code function: 22_2_000AB680	22_2_000AB680
Source: C:\Users\user\task.exe	Code function: 22_2_0009D6FB	22_2_0009D6FB
Source: C:\Users\user\task.exe	Code function: 22_2_0009773C	22_2_0009773C
Source: C:\Users\user\task.exe	Code function: 22_2_000938AE	22_2_000938AE
Source: C:\Users\user\task.exe	Code function: 22_2_000858B7	22_2_000858B7
Source: C:\Users\user\task.exe	Code function: 22_2_0009D92A	22_2_0009D92A
Source: C:\Users\user\task.exe	Code function: 22_2_000859FA	22_2_000859FA
Source: C:\Users\user\task.exe	Code function: 22_2_00096ABA	22_2_00096ABA
Source: C:\Users\user\task.exe	Code function: 22_2_000ABD29	22_2_000ABD29
Source: C:\Users\user\task.exe	Code function: 22_2_00084D22	22_2_00084D22
Source: C:\Users\user\task.exe	Code function: 22_2_0007BDB0	22_2_0007BDB0
Source: C:\Users\user\task.exe	Code function: 22_2_00096ED2	22_2_00096ED2
Source: C:\Users\user\task.exe	Code function: 22_2_000AFF04	22_2_000AFF04
Source: C:\Users\user\task.exe	Code function: 22_2_000B3FD0	22_2_000B3FD0
Source: C:\Users\user\task.exe	Code function: 22_2_10017194	22_2_10017194
Source: C:\Users\user\task.exe	Code function: 22_2_1000B5C1	22_2_1000B5C1
Source: C:\Users\user\task.exe	Code function: 22_2_02575322	22_2_02575322
Source: C:\Users\user\task.exe	Code function: 22_2_0258D395	22_2_0258D395
Source: C:\Users\user\task.exe	Code function: 22_2_02586029	22_2_02586029
Source: C:\Users\user\task.exe	Code function: 22_2_025910DB	22_2_025910DB
Source: C:\Users\user\task.exe	Code function: 22_2_0259B0EB	22_2_0259B0EB
Source: C:\Users\user\task.exe	Code function: 22_2_0258D166	22_2_0258D166
Source: C:\Users\user\task.exe	Code function: 22_2_0257478D	22_2_0257478D
Source: C:\Users\user\task.exe	Code function: 22_2_02575465	22_2_02575465
Source: C:\Users\user\task.exe	Code function: 22_2_0256B81B	22_2_0256B81B
Source: C:\Users\user\task.exe	Code function: 22_2_0258CF37	22_2_0258CF37
Source: C:\Users\user\task.exe	Code function: 22_2_02580CF7	22_2_02580CF7
Source: C:\Users\user\task.exe	Code function: 22_2_02574C84	22_2_02574C84
Source: C:\Users\user\task.exe	Code function: 22_2_02583D1B	22_2_02583D1B
Source: C:\Users\user\task.exe	Code function: 22_2_0256CDD2	22_2_0256CDD2
Source: C:\Users\user\task.exe	Code function: 24_2_0044B040	24_2_0044B040
Source: C:\Users\user\task.exe	Code function: 24_2_0043610D	24_2_0043610D
Source: C:\Users\user\task.exe	Code function: 24_2_00447310	24_2_00447310
Source: C:\Users\user\task.exe	Code function: 24_2_0044A490	24_2_0044A490
Source: C:\Users\user\task.exe	Code function: 24_2_0040755A	24_2_0040755A
Source: C:\Users\user\task.exe	Code function: 24_2_0043C560	24_2_0043C560
Source: C:\Users\user\task.exe	Code function: 24_2_0044B610	24_2_0044B610
Source: C:\Users\user\task.exe	Code function: 24_2_0044D6C0	24_2_0044D6C0
Source: C:\Users\user\task.exe	Code function: 24_2_004476F0	24_2_004476F0
Source: C:\Users\user\task.exe	Code function: 24_2_0044B870	24_2_0044B870
Source: C:\Users\user\task.exe	Code function: 24_2_0044081D	24_2_0044081D
Source: C:\Users\user\task.exe	Code function: 24_2_00414957	24_2_00414957
Source: C:\Users\user\task.exe	Code function: 24_2_004079EE	24_2_004079EE
Source: C:\Users\user\task.exe	Code function: 24_2_00407AEB	24_2_00407AEB
Source: C:\Users\user\task.exe	Code function: 24_2_0044AA80	24_2_0044AA80
Source: C:\Users\user\task.exe	Code function: 24_2_00412AA9	24_2_00412AA9
Source: C:\Users\user\task.exe	Code function: 24_2_00404B74	24_2_00404B74
Source: C:\Users\user\task.exe	Code function: 24_2_00404B03	24_2_00404B03
Source: C:\Users\user\task.exe	Code function: 24_2_0044BBD8	24_2_0044BBD8
Source: C:\Users\user\task.exe	Code function: 24_2_00404BE5	24_2_00404BE5
Source: C:\Users\user\task.exe	Code function: 24_2_00404C76	24_2_00404C76
Source: C:\Users\user\task.exe	Code function: 24_2_00415CFE	24_2_00415CFE
Source: C:\Users\user\task.exe	Code function: 24_2_00416D72	24_2_00416D72
Source: C:\Users\user\task.exe	Code function: 24_2_00446D30	24_2_00446D30
Source: C:\Users\user\task.exe	Code function: 24_2_00446D8B	24_2_00446D8B
Source: C:\Users\user\task.exe	Code function: 24_2_00406E8F	24_2_00406E8F

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: String function: 6C8F12B0 appears 36 times
Source: C:\Users\user\task.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\task.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\task.exe	Code function: String function: 6FE912B0 appears 36 times
Source: C:\Users\user\task.exe	Code function: String function: 000620BD appears 46 times
Source: C:\Users\user\task.exe	Code function: String function: 00092100 appears 42 times
Source: C:\Users\user\task.exe	Code function: String function: 02581B6B appears 41 times
Source: C:\Users\user\task.exe	Code function: String function: 0258224B appears 47 times
Source: C:\Users\user\task.exe	Code function: String function: 00061E82 appears 33 times
Source: C:\Users\user\task.exe	Code function: String function: 000927E0 appears 54 times
Source: C:\Users\user\task.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\task.exe	Code function: String function: 00416760 appears 69 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 976

Yara signature match

Source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.1571921794.0000000002590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647531865.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647738667.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647629402.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647833006.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .a_po^ ojYd.o B U.R G v.Q_F& ZNH K.9.sV`OQ qOq_A( N5.j P.X z.k.Yf_HL.P.L`.C Ue_q_B_t.h{_yr\=A f.3_q_Fvb_H_bm W.UP#.by_iY.Yw I.Y_G p.3c g.Zy S v.U.N C_m Z_i.H_j B l_DH_Pd.iz_O.f~ U z_Mv_d7 T Mz.f.594/}_m kS.v.D u.rZu.S G.N_x.V J.Q.G FO^.X<.6_fv.V ny.L,_E.2.m I_l.b$ Mx sZ.K! p.Y.U.V:U.89 R_H F3.d_R A UQ.C_y y Y Jb.Q_S.N.s< l_Ab~[_w9zV?!C9.N_HQ)*_n R.tP Ww_u aU;.V EPk Xr.Q0.y.A!]_b!7 g.R_pF.E_b o.o.q.o_E.T_rdfw.c}_ck.4.Y_w:_P.B(#`_xy_i.3_Y.A_N.q.6.YE_S_T.R H n.R_d_F.V.s_R68).I aL q.H b.W.Q!.r b_w c c$_va.X_v.tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_C_Q.e J q7E V P.LP_Q.kTN_c.F.D gc.hT_s_Q1
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647531865.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647738667.0000000003CAF000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647629402.000000000086D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1647833006.0000000000871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .tRm l.sln_D c! C.7_F m M_j6 zr.w F i}%_N.RB A7_wG_m.4_A#&.G mCx.Q_s N pTS.n.e C.4_v_

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winMSI@70/148@12/12

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8DCAF0 GetModuleHandleW,FormatMessageW,GetLastError,

8_2_6C8DCAF0

Source: C:\Users\user\task.exe

Code function: 22_2_00075C8A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

22_2_00075C8A

Source: C:\Users\user\task.exe

Code function: 24_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

24_2_00418758

Source: C:\Users\user\task.exe

Code function: 22_2_0006E45A CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

22_2_0006E45A

Source: C:\Users\user\task.exe

Code function: 22_2_00079789 FindResourceA,LoadResource,LockResource,SizeofResource,

22_2_00079789

Source: C:\Users\user\task.exe

Code function: 22_2_00078D0C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

File created: C:\Users\user\apps.bat

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\zRRdyPN41SkDaS8h3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7880
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Users\user\task.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-a34ef0fe-40fa-1ddbcb-aeea2ee60c14}

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF218C22ED6F4C8576.TMP

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "

Source: C:\Users\user\task.exe

System information queried: HandleInformation

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\msiwrapper.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp, task.exe, 0000001A.00000002.1666220432.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: task.exe, 00000016.00000002.4496169757.0000000002FF0000.00000040.10000000.00040000.00000000.sdmp, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: task.exe, 00000018.00000002.1685578220.0000000002736000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1879011150.000001BE85C37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1878511893.000001BE85617000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.1903680405.000001BE85617000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: task.exe, task.exe, 00000018.00000002.1684002660.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: wE1inOhJA5.msi

ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\wE1inOhJA5.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1280F90D0867DD413F7EEEF5D19EFB6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 976
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chrFE01.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/6c77fc35"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2376,i,16818295695986717264,7118115118329945779,262144 /prefetch:8
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6BC.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/32916e99"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2100,i,4541570122865520646,14461282582081406380,262144 /prefetch:3
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E1280F90D0867DD413F7EEEF5D19EFB6	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chrFE01.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/6c77fc35"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --user-data-dir="C:\Users\user\AppData\Local\Temp\chr6BC.tmp" --explicitly-allowed-ports=8000 --disable-gpu --new-window "http://127.0.0.1:8000/10d9defc/32916e99"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2480 --field-trial-handle=2376,i,16818295695986717264,7118115118329945779,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=2100,i,4541570122865520646,14461282582081406380,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: g2m.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\task.exe	Section loaded: wldp.dll
Source: C:\Users\user\task.exe	Section loaded: pstorec.dll
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\task.exe	Section loaded: wldp.dll
Source: C:\Users\user\task.exe	Section loaded: msasn1.dll
Source: C:\Users\user\task.exe	Section loaded: sspicli.dll
Source: C:\Users\user\task.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\task.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\task.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\task.exe	Section loaded: g2m.dll
Source: C:\Users\user\task.exe	Section loaded: winmm.dll
Source: C:\Users\user\task.exe	Section loaded: urlmon.dll
Source: C:\Users\user\task.exe	Section loaded: iertutil.dll
Source: C:\Users\user\task.exe	Section loaded: srvcli.dll
Source: C:\Users\user\task.exe	Section loaded: netutils.dll
Source: C:\Users\user\task.exe	Section loaded: wininet.dll
Source: C:\Users\user\task.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\task.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\task.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\task.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\task.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\msiwrapper.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Detected unpacking (changes PE section rights)

Source: C:\Users\user\task.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: wE1inOhJA5.msi

Static file information: File size 1753088 > 1048576

Source:	Binary string: your_package_name.pdbG source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernel32.pdb source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdbI source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: task.exe, 00000019.00000003.1664725236.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1665323555.0000000002D40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675135210.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675381954.0000000005620000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: task.exe, 00000019.00000003.1665989629.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1666587570.0000000002CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1675802717.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676138788.00000000055D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: task.exe, 0000001A.00000002.1666589979.000000000061C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: your_package_name.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1573600735.000000006C906000.00000002.00000001.01000000.00000006.sdmp, task.exe, 00000008.00000003.1472143930.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000016.00000002.4498290278.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp, task.exe, 0000001E.00000002.4491311882.000000006FEA6000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: task.exe, 00000019.00000003.1668759956.0000000002D70000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1668306416.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677021053.0000000005430000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: task.exe, 00000019.00000003.1667788844.0000000002B50000.00000004.00000001.00020000.00000000.sdmp, task.exe, 00000019.00000003.1667935272.0000000002C70000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676696250.0000000005550000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.1676535563.0000000005430000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\ss2\Projects\MsiWrapper\MsiCustomActions\Release\MsiCustomActions.pdb source: expand.exe, 00000006.00000003.1433042313.000000000482F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: expand.exe, 00000006.00000003.1433042313.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000008.00000002.1572618363.0000000002BF4000.00000004.00000800.00020000.00000000.sdmp, task.exe, 00000008.00000002.1571419937.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000008.00000000.1439408986.0000000000402000.00000002.00000001.01000000.00000005.sdmp, task.exe, 00000016.00000000.1579511832.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000016.00000002.4486274195.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000018.00000000.1650674244.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 00000019.00000002.1675825905.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001A.00000000.1651000866.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001B.00000000.1652070836.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000002.4486356902.0000000000402000.00000002.00000001.01000000.0000000A.sdmp, task.exe, 0000001E.00000000.1662738715.0000000000402000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\. source: task.exe, 0000001A.00000002.1666589979.0000000000608000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\task.exe	Unpacked PE file: 24.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\task.exe	Unpacked PE file: 26.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\task.exe	Unpacked PE file: 27.2.task.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

.NET source code contains potential unpacker

Source: 32.3.svchost.exe.1be856bc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 32.3.svchost.exe.1be856bc070.1.raw.unpack, Runtime.cs	.Net Code: CoreMain
Source: 32.3.svchost.exe.1be856bc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 32.3.svchost.exe.1be856bc070.0.raw.unpack, Runtime.cs	.Net Code: CoreMain

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8C8720 push eax; mov dword ptr [esp], 00000007h	8_2_6C8C8721
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C904201 push ecx; ret	8_2_6C904214
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8B1830 push eax; mov dword ptr [esp], 00000000h	8_2_6C8B1831
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8CB0C0 push eax; mov dword ptr [esp], 00000000h	8_2_6C8CB0C1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE68720 push eax; mov dword ptr [esp], 00000007h	22_2_6FE68721
Source: C:\Users\user\task.exe	Code function: 22_2_6FEA4201 push ecx; ret	22_2_6FEA4214
Source: C:\Users\user\task.exe	Code function: 22_2_6FE51830 push eax; mov dword ptr [esp], 00000000h	22_2_6FE51831
Source: C:\Users\user\task.exe	Code function: 22_2_6FE6B0C0 push eax; mov dword ptr [esp], 00000000h	22_2_6FE6B0C1
Source: C:\Users\user\task.exe	Code function: 22_2_000B3076 push ecx; ret	22_2_000B3089
Source: C:\Users\user\task.exe	Code function: 22_2_00092826 push ecx; ret	22_2_00092839
Source: C:\Users\user\task.exe	Code function: 22_2_000B3998 push eax; ret	22_2_000B39B6
Source: C:\Users\user\task.exe	Code function: 22_2_10002806 push ecx; ret	22_2_10002819
Source: C:\Users\user\task.exe	Code function: 22_2_02582291 push ecx; ret	22_2_025822A4
Source: C:\Users\user\task.exe	Code function: 22_2_0255811E push ebx; ret	22_2_0255811F
Source: C:\Users\user\task.exe	Code function: 22_2_0255C78E pushfd ; retf	22_2_0255C78F
Source: C:\Users\user\task.exe	Code function: 22_2_025A3403 push eax; ret	22_2_025A3421
Source: C:\Users\user\task.exe	Code function: 22_2_02572496 push esi; ret	22_2_02572498
Source: C:\Users\user\task.exe	Code function: 22_2_025A2AE1 push ecx; ret	22_2_025A2AF4
Source: C:\Users\user\task.exe	Code function: 22_2_025C5C6B push edx; ret	22_2_025C5CDB
Source: C:\Users\user\task.exe	Code function: 24_2_0044693D push ecx; ret	24_2_0044694D
Source: C:\Users\user\task.exe	Code function: 24_2_0044DB70 push eax; ret	24_2_0044DB84
Source: C:\Users\user\task.exe	Code function: 24_2_0044DB70 push eax; ret	24_2_0044DBAC
Source: C:\Users\user\task.exe	Code function: 24_2_00451D54 push eax; ret	24_2_00451D61

Contains functionality to download and launch executables

Source: C:\Users\user\task.exe

Code function: 22_2_00066F61 ShellExecuteW,URLDownloadToFileW,

22_2_00066F61

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI509A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\67a1ae3c4a36f34f89fd14e4fff5e74c.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\g2m.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\87377860be1e204a95d069480a67ac12.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\your_package_name.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\75aedfde5bde214c9f1dda9d9e9a381f.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI509A.tmp

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\task.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	File created: C:\Users\user\g2m.dll			Jump to dropped file

Source: C:\Users\user\task.exe

Code function: 22_2_00078D0C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run apps			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run apps			Jump to behavior

Source: C:\Users\user\task.exe

22_2_0007AD7F

Uses cacls to modify the permissions of files

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\task.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\task.exe

Code function: 22_2_0006E304 Sleep,ExitProcess,

22_2_0006E304

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\task.exe	API/Special instruction interceptor: Address: 7FF90818D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FF90818D044
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 56FB83A

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: task.exe, 00000016.00000003.1649617657.0000000000874000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMECFF EXPLORER.EXE:
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648863747.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4497721588.0000000004179000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: task.exe, 00000016.00000003.1652380221.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649253542.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652045010.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652977874.0000000003B9D000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649057788.0000000000869000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1650539674.0000000003F3A000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1652572952.0000000002DFB000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.0000000000870000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1651396491.0000000004015000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648863747.0000000003C55000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000002.4497721588.0000000004179000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\task.exe

Contains functionality to enumerate running services

Source: C:\Users\user\task.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

22_2_00078A3A

Contains long sleeps (>= 3 min)

Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\task.exe	Window / User API: threadDelayed 4633			Jump to behavior
Source: C:\Users\user\task.exe	Window / User API: threadDelayed 5346			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI509A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\87377860be1e204a95d069480a67ac12.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\your_package_name.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\775b62a938f64659aead6abedaf63071$dpx$.tmp\75aedfde5bde214c9f1dda9d9e9a381f.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\task.exe TID: 1080	Thread sleep count: 4633 > 30	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep time: -13899000s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep count: 5346 > 30	Jump to behavior
Source: C:\Users\user\task.exe TID: 1080	Thread sleep time: -16038000s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 5940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\task.exe TID: 4712	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8FB0E1 FindFirstFileExW,	8_2_6C8FB0E1
Source: C:\Users\user\task.exe	Code function: 22_2_6FE9B0E1 FindFirstFileExW,	22_2_6FE9B0E1
Source: C:\Users\user\task.exe	Code function: 22_2_0006BF45 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	22_2_0006BF45
Source: C:\Users\user\task.exe	Code function: 22_2_0006919E __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_0006919E
Source: C:\Users\user\task.exe	Code function: 22_2_00068290 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	22_2_00068290
Source: C:\Users\user\task.exe	Code function: 22_2_000672F0 FindFirstFileW,FindNextFileW,	22_2_000672F0
Source: C:\Users\user\task.exe	Code function: 22_2_0007A467 FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,	22_2_0007A467
Source: C:\Users\user\task.exe	Code function: 22_2_0006B6E8 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: 22_2_000A97E9 FindFirstFileExA,	22_2_000A97E9
Source: C:\Users\user\task.exe	Code function: 22_2_0006B903 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	22_2_0006B903
Source: C:\Users\user\task.exe	Code function: 22_2_00068D46 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	22_2_00068D46
Source: C:\Users\user\task.exe	Code function: 22_2_00077DE7 FindFirstFileW,FindNextFileW,FindNextFileW,	22_2_00077DE7
Source: C:\Users\user\task.exe	Code function: 22_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	22_2_100010F1
Source: C:\Users\user\task.exe	Code function: 22_2_10006580 FindFirstFileExA,	22_2_10006580
Source: C:\Users\user\task.exe	Code function: 24_2_0040AE51 FindFirstFileW,FindNextFileW,	24_2_0040AE51

Source: C:\Users\user\task.exe

Code function: 22_2_0006771B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8C93B0 GetSystemInfo,

8_2_6C8C93B0

Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\task.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Adobe\Acrobat

Source: svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: task.exe, 00000016.00000003.1648607977.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642454762.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646821801.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1649361427.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1639168513.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1643644507.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1648139673.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1642187022.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1646278220.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1638859407.00000000008A3000.00000004.00000020.00020000.00000000.sdmp, task.exe, 00000016.00000003.1641701441.00000000008A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001F.00000002.1764735514.000000000325C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRSVP UDPv6 Service Provider
Source: svchost.exe, 0000001F.00000002.1764690354.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: svchost.exe, 0000001F.00000003.1677266218.0000000005650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: task.exe, 0000001E.00000002.4488282758.0000000000527000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8D8D40 LdrInitializeThunk,WSAStartup,WSACleanup,

8_2_6C8D8D40

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F84FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_6C8F84FB

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\task.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Contains functionality to read the PEB

Source: C:\Users\user\task.exe	Code function: 22_2_0009FDBE mov eax, dword ptr fs:[00000030h]	22_2_0009FDBE
Source: C:\Users\user\task.exe	Code function: 22_2_10004AB4 mov eax, dword ptr fs:[00000030h]	22_2_10004AB4
Source: C:\Users\user\task.exe	Code function: 22_2_0258F829 mov eax, dword ptr fs:[00000030h]	22_2_0258F829

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C904D50 GetProcessHeap,HeapAlloc,

8_2_6C904D50

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F84FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C8F84FB
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F1134 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C8F1134
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Code function: 8_2_6C8F12F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C8F12F8
Source: C:\Users\user\task.exe	Code function: 22_2_6FE984FB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6FE984FB
Source: C:\Users\user\task.exe	Code function: 22_2_6FE912F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_6FE912F8
Source: C:\Users\user\task.exe	Code function: 22_2_6FE91134 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_6FE91134
Source: C:\Users\user\task.exe	Code function: 22_2_00092484 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00092484
Source: C:\Users\user\task.exe	Code function: 22_2_000994A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000994A3
Source: C:\Users\user\task.exe	Code function: 22_2_0009297F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_0009297F
Source: C:\Users\user\task.exe	Code function: 22_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_100060E2
Source: C:\Users\user\task.exe	Code function: 22_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_10002B1C
Source: C:\Users\user\task.exe	Code function: 22_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_10002639

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 179.43.171.196 5982

Allocates memory in foreign processes

Source: C:\Program Files\Windows Media Player\wmplayer.exe

Memory allocated: C:\Windows\System32\dllhost.exe base: 20A308F0000 protect: page read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\task.exe

22_2_00076447

Maps a DLL or memory area into another process

Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\task.exe	Section loaded: NULL target: C:\Users\user\task.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 20A308F0000
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 7FF733CD14E0

Contains functionality to simulate mouse events

Source: C:\Users\user\task.exe

Code function: 22_2_00077936 mouse_event,

22_2_00077936

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\apps.bat" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\gifwhgt"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\jckohyeeyyu"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Users\user\task.exe C:\Users\user\task.exe /stext "C:\Users\user\AppData\Local\Temp\tfphirpfmgmayj"	Jump to behavior
Source: C:\Users\user\task.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\task.exe "task.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"

Source: task.exe, 00000016.00000002.4497115014.0000000003660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: task.exe, 00000016.00000002.4497115014.0000000003660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageru
Source: task.exe, 00000016.00000002.4490232230.0000000000879000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F141F cpuid

8_2_6C8F141F

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\task.exe	Code function: GetLocaleInfoA,	22_2_0006E42E
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	22_2_000AF090
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000A50DE
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AF197
Source: C:\Users\user\task.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	22_2_000AF264
Source: C:\Users\user\task.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	22_2_000AE92C
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AEAFB
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEBA4
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000A4BD6
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEBEF
Source: C:\Users\user\task.exe	Code function: EnumSystemLocalesW,	22_2_000AEC8A
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	22_2_000AED17
Source: C:\Users\user\task.exe	Code function: GetLocaleInfoW,	22_2_000AEF67

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\data.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\task.exe	Queries volume information: C:\Users\user\data.bin VolumeInformation	Jump to behavior
Source: C:\Users\user\task.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\task.exe	Queries volume information: C:\Users\user\data.bin VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Media Player\wmplayer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\MW-70394d6c-f51f-472d-a6f7-915654cf9b1e\files\task.exe

Code function: 8_2_6C8F0D83 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

8_2_6C8F0D83

Source: C:\Users\user\task.exe

Code function: 22_2_000798EE GetComputerNameExW,GetUserNameW,

22_2_000798EE

Source: C:\Users\user\task.exe

Code function: 22_2_000A5981 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

22_2_000A5981

Source: C:\Users\user\task.exe

Code function: 24_2_0041739B GetVersionExW,

24_2_0041739B

Source: C:\Windows\SysWOW64\expand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 0000001F.00000003.1672134784.0000000003480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1674900501.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1662192131.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1765068419.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: Yara match	File source: 22.2.task.exe.255066b.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.255066b.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.task.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.120000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.task.exe.6066b.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.4483545764.00000000000B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4482520616.0000000000060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4490232230.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4483930249.0000000000176000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.4495447446.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 1272, type: MEMORYSTR

Source: C:\Users\user\task.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

22_2_0006B5CA

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\task.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		22_2_0006B6E8
Source: C:\Users\user\task.exe	Code function: \key3.db		22_2_0006B6E8

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\safebrowsing
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ca4gppea.default
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2\doomed
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\safebrowsing\google4
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2\entries
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\thumbnails
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cache2
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs\browser
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs\browser\newtab
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main\ms-language-packs
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\settings\main
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome
Source: C:\Users\user\task.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\startupCache
Source: C:\Windows\System32\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\task.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: task.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: task.exe PID: 716, type: MEMORYSTR

Searches for user specific document files

Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Windows\System32\svchost.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: svchost.exe PID: 2968, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\task.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM			Jump to behavior
Source: C:\Users\user\task.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RNN6CM

Source: Yara match	File source: 0000001F.00000003.1672134784.0000000003480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1674900501.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1662192131.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1765068419.0000000003490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY